[39528] in Kerberos
krb5_change_password rejected on some Windows 2025
daemon@ATHENA.MIT.EDU (Arnaud Bouchez via Kerberos)
Wed Jun 25 07:00:22 2025
Message-ID: <de2f2cf3-9c17-479f-807c-dbb49eabda68@mailo.com>
Date: Wed, 25 Jun 2025 12:58:48 +0200
MIME-Version: 1.0
Content-Language: en-US, fr
To: kerberos@mit.edu
From: Arnaud Bouchez via Kerberos <kerberos@mit.edu>
Reply-To: abz++krb@mailo.com
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Errors-To: kerberos-bounces@mit.edu
Hello,
Windows Server 2025-based Active Directory domain controllers appear to
regress in handling KPASSWD protocol. Namely, a password change request
is being processed and a password of an Active Directory account has
been changed but the response produced by the domain controller is
Kerberos error with code 0, explicitly not allowed by the RFC3244
describing Microsoft KPASSWD protocol.
Source:
https://lists.samba.org/archive/cifs-protocol/2024-December/004390.html
The `krb5_change_password()` function reject is_error +
KRB5_KPASSWD_SUCCESS as expected by the RFC, but it fails on this
buggy/featured Windows Server 2025 AD.
If I understand correctly, we could remove the following lines in chpw.c :
krb5int_rd_chpw_rep(krb5_context context, krb5_auth_context auth_context,
....
/* Successful replies must not come from errors. */
if (is_error && result_code == KRB5_KPASSWD_SUCCESS) {
ret = KRB5KRB_AP_ERR_MODIFIED;
goto cleanup;
}
So that the API would work on those AD version.
Additional information about this MS/Windows issue is available at:
https://gitlab.freedesktop.org/realmd/adcli/-/issues/40
The official server-side fix is not there yet, and it may help
mitigating it on the client side.
Thanks for your attention.
Arnaud
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
