http://bugzilla.opensuse.org/show_bug.cgi?id=961653 http://bugzilla.opensuse.org/show_bug.cgi?id=961653#c1 Howard Guo changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|Normal |Major --- Comment #1 from Howard Guo --- This is a moderately severe security issue, can anyone with samba expertise please take care? -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=961653 http://bugzilla.opensuse.org/show_bug.cgi?id=961653#c3 Andreas Stieger changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |astieger@suse.com, | |jamesrstocker@gmail.com Flags| |needinfo?(jamesrstocker@gma | |il.com) --- Comment #3 from Andreas Stieger --- Please attach your pam configuration. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=961653 James Stocker changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(jamesrstocker@gma | |il.com) | -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=961653 http://bugzilla.opensuse.org/show_bug.cgi?id=961653#c7 --- Comment #7 from James Stocker --- I've just tested this on Leap 42.2, I found that it now offers you the chance to change your password, and it works if you pass the password restrictions set on the DC. However, I found that if I reused an old password, which the DC rejects, it lets you in to your account, implying the password has changed, when in fact the password didn't change. Definitely an improvement, but handling the exceptions needs some improvement. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=961653 http://bugzilla.opensuse.org/show_bug.cgi?id=961653#c10 --- Comment #10 from Yifan Jiang --- (In reply to James Stocker from comment #9)

That question doesn't make sense in the context. If I reboot it would have no affect on the password that samba is expecting, it already rejected the new password we tried to submit, at that point the user should have been told why the password change failed and told to try again, not to be logging in

Ye..if you can still use the old password after reboot, it indeed revealed indirectly the password was not set at the first place (excluding the cache issue). I will set up something similar to take a look. Thanks James! -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=961653 http://bugzilla.opensuse.org/show_bug.cgi?id=961653#c16 --- Comment #16 from James Stocker --- My colleagues tried this on Leap 42.2 yesterday to test the behaviour: with GDM - A warning appears (for half a second) that your password has expired and it logs you in without any further warning or request for you to change your password - This basically circumvents the requirement to force a user to change their password periodically. with SDDM - The user is able to log in normally, but if the password has expired on the domain controller, you cannot log in at all with KDM - it tells you your password has expired, it lets you change it. This is the desired behaviour. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=961653 Tomáš Chvátal changed: What |Removed |Added ---------------------------------------------------------------------------- Version|Leap 42.1 |Leap 42.3 -- You are receiving this mail because: You are on the CC list for the bug.