Bug 6471 - Unable to change a password that has expired with kpasswd
Summary: Unable to change a password that has expired with kpasswd
Alias: None
Product: Samba 4.0
Classification: Unclassified
Component: Other (show other bugs)
Version: unspecified
Hardware: Other Linux
: P3 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Andrew Bartlett
Depends on:
Reported: 2009-06-13 14:00 UTC by Matthieu Patou
Modified: 2009-06-17 22:54 UTC (History)
1 user (show)

See Also:

Proposed patch for disactivating the check of password expiration. (1.14 KB, patch)
2009-06-13 14:07 UTC, Matthieu Patou
no flags Details
Patch to fix the problem properly (15.51 KB, patch)
2009-06-15 09:02 UTC, Andrew Bartlett
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Matthieu Patou 2009-06-13 14:00:20 UTC
With an account which password is expired it's impossible to change the password with kpasswd against a s4 domain controller. It's possible with w2k3.

The core of the problem lies in the the function authsam_account_ok of source4/auth/sam.c that do not allow exception for the verification of the password expiration.
Comment 1 Matthieu Patou 2009-06-13 14:07:03 UTC
Created attachment 4283 [details]
Proposed patch for disactivating the check of password expiration.

With this patch, the pwdLastSet is set for the request to the maximum value so that the check of password expiration will not fail.
Comment 2 Andrew Bartlett 2009-06-14 17:39:21 UTC
This is really nice debugging work!

I think we need to pass in the server principal (or more particularly, it's record) when checking the password expiry.  I think overloading of the flags is the wrong approach, but shows the issue nicely.

Comment 3 Matthieu Patou 2009-06-15 02:06:37 UTC
Please note that when changing the password through windows even when it's expired works.
I debuged it a little bit and it turns out that when trying to change an expired password the pwdLastSet is automagicaly set to the currenttimestamp (but I was unable to find how it's done in the code)
Comment 4 Andrew Bartlett 2009-06-15 06:32:26 UTC
Windows uses SAMR, not kpasswd for password changes, so this check (for password expiry) is not applied.

I'll in fact be adding more checks to the SAMR password change code (for security), but of course not adding this bug there too.

Expect a fix for the Kerberos case soon
Comment 5 Andrew Bartlett 2009-06-15 09:02:59 UTC
Created attachment 4289 [details]
Patch to fix the problem properly

This is a much better fix.  Testing welcome!

(I need to figure out how to best test this in a script)
Comment 6 Andrew Bartlett 2009-06-17 22:54:27 UTC
Fixed in 19413c52495877d54c90c60229568d0077fda30b