Bug 1306926 - SAMBA AD: Appropriate message to be given by net when AD user password is expired
SAMBA AD: Appropriate message to be given by net when AD user password is ex...
Status: CLOSED ERRATA
Product: Red Hat Gluster Storage
Classification: Red Hat
Component: samba (Show other bugs)
3.1
Unspecified Unspecified
unspecified Severity unspecified
: ---
: RHGS 3.1.3
Assigned To: Guenther Deschner
Vivek Das
: ZStream
Depends On:
Blocks: 1299184
  Show dependency treegraph
 
Reported: 2016-02-12 03:33 EST by surabhi
Modified: 2016-06-23 01:37 EDT (History)
8 users (show)

See Also:
Fixed In Version: samba-4.4.3-1
Doc Type: Bug Fix
Doc Text:
Earlier, joining an AD domain with Samba could fail with a password mismatch error for accounts with expired passwords. This update ensures that the correct error message is displayed so that users know their password has expired and needs to be updated.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-06-23 01:37:18 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description surabhi 2016-02-12 03:33:41 EST
Description of problem:
*****************************************

While running net ads join from samba server to join windows AD domain I
get error where it says password mismatch and join doesn't happen.
Actually the password was expired for the user(Administrator).

I think it should throw the appropriate message that "password is
expired" and not password mismatch.

Then I tried kinit for the domain : kinit administrator@RHSQE-2012-DC.COM
there I got appropriate message that password is expired and need to
change the password , then it gives the option to change the password
but still kinit fails for that attempt.
Once I tried to login from Windows machine itself with the new password
that was changed and then tried kinit from the server it succeeded.


Configuration Details:

Windows Server 2012 R2
samba-4.2.4-12.el7rhgs.x86_64
Red Hat Enterprise Linux Server release 7.2

there are primary DC, Secondary DC and a Child DC.

smb.conf :[global]
	workgroup = RHSQE-2012-DC
	realm = rhsqe-2012-dc.com
	netbios name = RHS-SAMBA
	server string = Samba Server Version %v
	security = ADS
	log file = /var/log/samba/log.%m
	max log size = 50
	ctdbd socket = /var/run/ctdb/ctdbd.socket
	clustering = Yes
	load printers = No
	disable spoolss = Yes
	show add printer wizard = No
	stat cache = No
	winbind nss info = rfc2307
	idmap config * : range = 1000000-1999999
	idmap config * : backend = tdb
	aio read size = 4096
	printing = bsd
	map archive = No
	map readonly = no
	store dos attributes = Yes
	kernel share modes = No
	include = /etc/samba/ctdb.conf

After configuring and following all the steps from admin guide for AD:

net ads join -U Administrator 
Failed to join domain: failed to lookup DC info for domain 'RHSQE-2012-DC.COM' over rpc:password mismatch

After that tried kinit kinit administrator@RHSQE-2012-DC.COM
"password is expired ,change password"
and it gives option to change the password.the password is changed and then kinit failed for the first attempt.

Tried logging from windows server itself using the same password , it succeeded.

And once again doing kinit , it succeeded.

Version-Release number of selected component (if applicable):


How reproducible:
Tried once.

Steps to Reproduce:
1.Setup AD with samba as mentioned in RHGS Admin guide
2. try to join windows domain with Domain user , Administrator.
3. Use the expired password to join domain
4. See the error message
5. Do kinit to the domain : to change the password : and see if kinit succeeds.

Actual results:
the net command gives error as password mismatch , when actually the password was expired.
kinit gives option to change the password but not succeeds in the first attempt.

Expected results:
Appropriate message e.g : "password is expired, change password"shall be given if the password is expired for the AD user.

Additional info:
Comment 3 Michael Adam 2016-04-13 05:25:38 EDT
Is this possibly already fixed in upstream samba in commit b3931af2df293a9cb75f21cdb5555fb6725dff34 ?

Assigning to Günther.
Comment 5 Raghavendra Talur 2016-05-20 06:27:02 EDT
I have filled in doc_text with some information from commit. Would like Guenther to verify the same.
Comment 6 Guenther Deschner 2016-05-20 08:10:12 EDT
Updated the doc_text with some little corrections. Otherwise looks fine. Thanks!
Comment 7 Vivek Das 2016-06-07 01:50:12 EDT
I have updated the password policy to expire on 1 day.So we have to wait for the password expiry i.e 24Hrs and post that i will update the bug.
Once the password expires we can verify the appropriate message.

Meanwhile i am looking at other possibilities to verify the same.
Comment 8 Vivek Das 2016-06-07 07:23:12 EDT
net ads join -U Administrator
Enter Administrator's password:
kerberos_kinit_password Administrator@RHSQE-2012-DC.COM failed: Password has expired
Failed to join domain: failed to connect to AD: Password has expired

Marking it as verified.
Comment 14 errata-xmlrpc 2016-06-23 01:37:18 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1248

Note You need to log in before you can comment on or make changes to this bug.