If using FAST with Heimdal Kerberos, and if a user password has expired, the user cannot change his own password from the Windows login screen because of the "insuccifient ressource" message that does not trigger the change password dialog screen. We don't see this issue if Samba is compiled using MIT Kerberos (hence, no issue with Fedora Samba-AD package that are using MIT Kerberos instead of Heimdal). Step to reproduce : * Enable GPO "Kerberos client support for claims, compound authentication and Kerberos armoring" on a Windows client * Force user to change password at next logon
Created attachment 18316 [details] KO_bugzilla-heimdal-user-fast-changepasswd.pcap
Created attachment 18317 [details] OK_bugzilla-mit-user-fast-changepasswd.pcap
I think in the MIT case the client is not using FAST (I'm not an expert in this area, but the AS_REQ packet looks very different -- for a start, it is 311 bytes for MIT, 2136 for Heimdal). Is it possible to get a similar pcap against Windows?
Hi Douglas, Thanks for your answer. You are right, there seems to be also an issue with FAST on Samba-AD with MIT Kerberos (but a different one :-) ). As per your request, I attached a similar pcap against a Windows MS-AD. PS : on MSAD, I see the krbtgt user have the msDS-SupportedEncryptionTypes to 0x50000 (flag FAST supported [1]) . I don't know if this is important used by the client to enforce FAST on the client (in addition to the gpo). Yohannès [1] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-kile/6cfc7b50-11ed-4b4d-846d-6f08f0812919
Created attachment 18328 [details] w2k19 fast change passwd
Created attachment 18334 [details] patch to not send an ntstatus value in the reply Are you able to compile with this patch and see if it makes a difference?
Great, it's good. Thank you Douglas !
This bug was referenced in samba master: 6dc6168719cf232ac2c1d747f10aad9b13300c02 c5ee0b60b20011aeaa60c2f549c2a78269c97c8f fe90576871b5d644b9e888fd7a0b0351feaba750
Created attachment 18358 [details] patch for Samba 4.20
Created attachment 18359 [details] patch for Samba 4.19
Comment on attachment 18359 [details] patch for Samba 4.19 The CI failure was just an issue with the 4.19 release. The pipeline passes with that addressed.
Comment on attachment 18358 [details] patch for Samba 4.20 I think the extra patches should have the BUG: tag added. It doesn't say so at https://wiki.samba.org/index.php/Samba_Release_Planning#Patch_Process but it looks like the convention might be to add the BUG: at the end either before or after the cherry-pick line. Otherwise looks good.
Comment on attachment 18359 [details] patch for Samba 4.19 likewise this one looks good but could be improved by more BUG:s.
Created attachment 18360 [details] patch v2 for Samba 4.20
Created attachment 18361 [details] patch v2 for Samba 4.19
For 4.19 and 4.20.
Pushed to autobuild-v4-{20,19}-test.
This bug was referenced in samba v4-19-test: fc8beb134d247667d9c94900fed3761cd08b796d a35edbb5302fd83ec24eb731d3078e7a3d064ce8 e65a4281c139b7d07560aad8963653b1eb6c70ea 9c64cd3f2e02f88ebd16c6785e0d1fa34926aebb 2102b619cf68ddcd3d9b3c4e4d6a3381966d4894 7cc2b7b0288684f0d5444293ecc2562cc94c407f 86034d86d98489bdde6777e1632b9deeddd3e414 2cf809bb1f3a6311d8f5e3ba745091e36ca9a943
This bug was referenced in samba v4-20-test: 4e57b8a5fe68427b844d94f79ea071f333107f6b c1433f821f7c5f6ec3ce93c0c1d79c8a3f51fce1 50a417a2240f99b155fed436df32bf242e579f73 d4c1e215a9bd60c02f3450aa602725663d919d81 41c8a42c8ae8b89354ddaa02ea3d0035445d6b44 bff728a842fde296d70f5c993087b4e47794a98a
Closing out bug report. Thanks!