Samba version: 4.21.1 After creating an user object with an expired password (--must-change-at-next-login) kinit shows "Password has expired" even with a wrong password. $ samba-tool user add foobar foobar.99 --must-change-at-next-login # FAIL, with wrong password ./bin/default/third_party/heimdal_build/samba4kinit.inst foobar foobar@FIVE.TWO's Password: Password has expired samba4kinit.inst: Password incorrect Why do i get "Password has expired" here? This should not be shown, right? (and it is not with samba 4.18.3) # OK, password change dialog with correct password $ ./bin/default/third_party/heimdal_build/samba4kinit.inst foobar foobar@FIVE.TWO's Password: Password has expired Your password will expire at Thu Jan 1 01:00:00 1970 Changing password New password: LDIF: dn: CN=foobar,CN=Users,DC=five,DC=two objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: foobar instanceType: 4 whenCreated: 20241024155926.0Z uSNCreated: 4355 name: foobar objectGUID: 53cb3a5d-8f87-4ec3-84b2-06b3622002e6 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 primaryGroupID: 513 objectSid: S-1-5-21-1756134253-1098979800-3493687893-1118 accountExpires: 9223372036854775807 sAMAccountName: foobar sAMAccountType: 805306368 userPrincipalName: foobar@five.two objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=five,DC=two pwdLastSet: 0 userAccountControl: 512 lastLogonTimestamp: 133742596154241010 whenChanged: 20241024160655.0Z uSNChanged: 4359 lastLogon: 133742596154341000 logonCount: 2 distinguishedName: CN=foobar,CN=Users,DC=five,DC=two As an attachment you can find the krb5 client debug log for the kinit with a wrong password. This also happens with the standard heimdal kinit tool, so it may be a problem in the response from the KDC? Thanks, Felix
Created attachment 18483 [details] kinit.log kinit with wrong password and debug
I think this is probably not a bug, being the best of two imperfect alternatives. Either you leak the expiry or you leak a little bit of information about what the old password isn't. Returning some other error code which would make a brute-force attack on the old password easier. This was probably changed with this commit: https://gitlab.com/samba-team/devel/lorikeet-heimdal/-/commit/4c2f7224258f20bfa2f08eaf2dafe75100457662 which was moving to match windows.
Thanks! but i don't really understand your argument > Either you leak the expiry or you leak a little bit of information about what > the old password isn't. Returning some other error code which would make a > brute-force attack on the old password easier. If i throw a wrong password at him and he tells me "Password has expired" and "Password incorrect" instead of just "Password incorrect", that is additional information. Why should the KDC do that?
(In reply to Felix Botner from comment #3) > If i throw a wrong password at him and he tells me "Password has expired" and "Password incorrect" instead of just "Password incorrect", that is additional information. > Why should the KDC do that? hmm, yes. I think I was imagining (as opposed to properly reading) that it would not tell you "wrong password" until you had tried to set a new password. Have you tried against Windows?
OS Name: Microsoft Windows Server 2019 Datacenter OS Version: 10.0.17763 N/A Build 17763 Hotfix(s): 53 Hotfix(s) Installed. ... [53]: KB5005701 Created an AD user object with "User must change password at next logon": $ ldbsearch -H ldap://10.210.36.83 -U Administrator%'Univention@99#+?=$' cn=test1 + ldbsearch -H ldap://10.210.36.83 -U 'Administrator%Univention@99#+?=$' cn=test1 # record 1 dn: CN=test1,CN=Users,DC=utotest235win,DC=test objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: test1 givenName: test1 distinguishedName: CN=test1,CN=Users,DC=utotest235win,DC=test instanceType: 4 whenCreated: 20241101121936.0Z whenChanged: 20241101121950.0Z displayName: test1 uSNCreated: 12811 uSNChanged: 12821 name: test1 objectGUID: 224206dc-c9da-4029-9207-348aa3b4b81a userAccountControl: 512 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 133749371856716448 lastLogoff: 0 lastLogon: 133749371909681216 pwdLastSet: 0 primaryGroupID: 513 objectSid: S-1-5-21-490277428-4136810947-3753624039-1111 accountExpires: 9223372036854775807 logonCount: 2 sAMAccountName: test1 sAMAccountType: 805306368 userPrincipalName: test1@utotest235win.test objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=utotest235win,DC=test dSCorePropagationData: 16010101000000.0Z lastLogonTimestamp: 133749371909681216 From a linux client with krb5 config pointing to the windows AD: # wrong password $ kinit test1 test1@UTOTEST235WIN.TEST's Password: kinit: Password incorrect # correct password $ kinit test1 test1@UTOTEST235WIN.TEST's Password: Password has expired Your password/account will expire at Thu Jan 1 01:00:00 1970 Changing password New password: I don't see this "Password has expired" when I logon to a Windows AD.
Hi everyone, I confirm the difference of behavior between Samba-AD and MS-AD. When a user password is expired and the user enter an INCORRECT password on a Windows 11 logon screen : * with MS-AD, , the message is "The password is incorrect. Try again." * with Samba-AD, the message is "Your password has expired and must be changed." On MS-AD when the same user enter the CORRECT password, then the message is "Your password has expired and must be changed." In every cases the user is asked for password change, so this is not a blocking bug, but the error code that is sent back to the client from Samba is not the same as MS-AD. It seems that the difference is that MS-AD sends a KRB5KDC_ERR_PREAUTH-REQUIRED message first while samba does not.
Created attachment 18924 [details] Proposed fix (version 1) The actual changes will need to be made to lorikeet-heimdal and then merged into samba.
This bug was referenced in samba master: f9ca5b75f82e8efbeebdc8520114a5d89dcbbf00 9b46613c6e41eac5bfc4832d8a9f3c72dc1a5e8e
Does this need to be back ported?