Bug 1306926

Summary: SAMBA AD: Appropriate message to be given by net when AD user password is expired
Product: [Red Hat Storage] Red Hat Gluster Storage Reporter: surabhi <sbhaloth>
Component: sambaAssignee: Guenther Deschner <gdeschner>
Status: CLOSED ERRATA QA Contact: Vivek Das <vdas>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rhgs-3.1CC: gdeschner, jrivera, madam, nlevinki, rcyriac, rhinduja, rjoseph, rtalur
Target Milestone: ---Keywords: ZStream
Target Release: RHGS 3.1.3   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: samba-4.4.3-1 Doc Type: Bug Fix
Doc Text:
Earlier, joining an AD domain with Samba could fail with a password mismatch error for accounts with expired passwords. This update ensures that the correct error message is displayed so that users know their password has expired and needs to be updated.
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-06-23 05:37:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1299184    

Description surabhi 2016-02-12 08:33:41 UTC
Description of problem:
*****************************************

While running net ads join from samba server to join windows AD domain I
get error where it says password mismatch and join doesn't happen.
Actually the password was expired for the user(Administrator).

I think it should throw the appropriate message that "password is
expired" and not password mismatch.

Then I tried kinit for the domain : kinit administrator
there I got appropriate message that password is expired and need to
change the password , then it gives the option to change the password
but still kinit fails for that attempt.
Once I tried to login from Windows machine itself with the new password
that was changed and then tried kinit from the server it succeeded.


Configuration Details:

Windows Server 2012 R2
samba-4.2.4-12.el7rhgs.x86_64
Red Hat Enterprise Linux Server release 7.2

there are primary DC, Secondary DC and a Child DC.

smb.conf :[global]
	workgroup = RHSQE-2012-DC
	realm = rhsqe-2012-dc.com
	netbios name = RHS-SAMBA
	server string = Samba Server Version %v
	security = ADS
	log file = /var/log/samba/log.%m
	max log size = 50
	ctdbd socket = /var/run/ctdb/ctdbd.socket
	clustering = Yes
	load printers = No
	disable spoolss = Yes
	show add printer wizard = No
	stat cache = No
	winbind nss info = rfc2307
	idmap config * : range = 1000000-1999999
	idmap config * : backend = tdb
	aio read size = 4096
	printing = bsd
	map archive = No
	map readonly = no
	store dos attributes = Yes
	kernel share modes = No
	include = /etc/samba/ctdb.conf

After configuring and following all the steps from admin guide for AD:

net ads join -U Administrator 
Failed to join domain: failed to lookup DC info for domain 'RHSQE-2012-DC.COM' over rpc:password mismatch

After that tried kinit kinit administrator
"password is expired ,change password"
and it gives option to change the password.the password is changed and then kinit failed for the first attempt.

Tried logging from windows server itself using the same password , it succeeded.

And once again doing kinit , it succeeded.

Version-Release number of selected component (if applicable):


How reproducible:
Tried once.

Steps to Reproduce:
1.Setup AD with samba as mentioned in RHGS Admin guide
2. try to join windows domain with Domain user , Administrator.
3. Use the expired password to join domain
4. See the error message
5. Do kinit to the domain : to change the password : and see if kinit succeeds.

Actual results:
the net command gives error as password mismatch , when actually the password was expired.
kinit gives option to change the password but not succeeds in the first attempt.

Expected results:
Appropriate message e.g : "password is expired, change password"shall be given if the password is expired for the AD user.

Additional info:

Comment 3 Michael Adam 2016-04-13 09:25:38 UTC
Is this possibly already fixed in upstream samba in commit b3931af2df293a9cb75f21cdb5555fb6725dff34 ?

Assigning to Günther.

Comment 5 Raghavendra Talur 2016-05-20 10:27:02 UTC
I have filled in doc_text with some information from commit. Would like Guenther to verify the same.

Comment 6 Guenther Deschner 2016-05-20 12:10:12 UTC
Updated the doc_text with some little corrections. Otherwise looks fine. Thanks!

Comment 7 Vivek Das 2016-06-07 05:50:12 UTC
I have updated the password policy to expire on 1 day.So we have to wait for the password expiry i.e 24Hrs and post that i will update the bug.
Once the password expires we can verify the appropriate message.

Meanwhile i am looking at other possibilities to verify the same.

Comment 8 Vivek Das 2016-06-07 11:23:12 UTC
net ads join -U Administrator
Enter Administrator's password:
kerberos_kinit_password Administrator failed: Password has expired
Failed to join domain: failed to connect to AD: Password has expired

Marking it as verified.

Comment 14 errata-xmlrpc 2016-06-23 05:37:18 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1248