User must change password at next login

stockportict · June 13, 2013, 12:08pm

Hi

We use LDAPS to communicate with the UCS server from a remote access solution, when the option “User must change password at next login” is ticked we get a unknown user or password on the remote access solution, when it is not ticked we can login ok. We also have a Microsoft AD set as an authentication source in the same product and when the user must change their password box is ticked we get the option to change the password. Is there any known bugs in Samba 4 with this function or any logs on the UCS server that can be checked.

Regards

James

ahrnke · June 14, 2013, 8:30am

Hi,
Your remote access solution must support password change for LDAP. For Citrix Access Gateway there is an explanation at CTX122972.
It may also depend on whether you are trying to authenticate against Samba4-LDAP on 389/636 or OpenLDAP on 7389/7636.
If your solution does not have the capabilities for this configuration I would try to use AD-based authentication against Samba 4 instead of LDAPS against the Samba- or UCS-LDAP(OpenLDAP). Just the same way as you configured AD-based authentication but pointing to the UCS-DC with Samba4.

Best Regards,
Dirk

stockportict · June 14, 2013, 10:22am

The actual product is Checkpoint Mobile Access, it fully supports LDAPS and connects via port 636 to the samba 4 server. The password change feature works with Microsoft AD but seems to have an issue with Samba 4, I’m at a loss to the cause of the issue. As the traffic is encrypted it is not possible to capture it to inspect and switching to normal LDAP will not work as encrypted LDAPS is needed to preform the the password change function.

Regards

James

ahrnke · June 14, 2013, 2:57pm

Assuming that you followed Advanced Password Management Settings and the bind account is able to change the passwords the only way I have discovered is to increase the Samba Debug log to 10 (UCR variable samba/debug/level). The output may be a bit noisy so any logs from the Checkpoint would probably be more efficient.

Regards,
Dirk

stockportict · June 20, 2013, 12:00pm

Hi

I have analysed the logs which Checkpoint helped to obtain from the Mobile Access blade, it seems that the primary error code is the same from Microsoft AD and Samba4 but the additional error code is different which is causing the issue resetting the users password.

Microsoft AD

[19 Jun 18:03:27][CPLDAPCL] server = hostnameremoved, SDK Response <code = 49, message = Invalid credentials , Error Message = 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 773, v1db1>

Samba4

[19 Jun 17:36:10][CPLDAPCL] server = hostnameremoved, SDK Response <code = 49, message = Invalid credentials , Error Message = Simple Bind Failed: NT_STATUS_PASSWORD_MUST_CHANGE>

I have also now been able to find some more information by searching the error codes.

bugzilla.samba.org/show_bug.cgi?id=9048
confluence.atlassian.com/displa … or+Code+49

Is there anything we can do to change this behavior?

Regards

James

ahrnke · June 25, 2013, 4:44pm

Hi,
I was not able to find a workaround.
At least I created [bug]31818[/bug].

regards,
Dirk