Can you send me the trace tools and set up a workspace to confirm what I'm seeing, because I just don't see soon-to-expire passwords being rotated. I just see them rotated once they expire. Thanks, Andrew Bartlett On Wed, 2024-05-15 at 23:39 +0000, Kristian Smith via cifs-protocol wrote: > That was a speedy reply! > > > > > > > > I just confirmed that all three of the conditions, including the > nearing-expiration case, are checked before sending the ticket. > > > > > > > > Let me know if you have any other questions/concerns. > > > > > > > > Regards, > Kristian Smith > Support Escalation Engineer | Microsoft® Corporation > Office phone: +1 425-421-4442 > Email: > kristian.sm...@microsoft.com > > > > > > > > > > > > From: Andrew Bartlett <abart...@samba.org> > > Sent: Wednesday, May 15, 2024 3:58 PM > > To: Kristian Smith <kristian.sm...@microsoft.com> > > Cc: cifs-protocol mailing list <cifs-protocol@lists.samba.org>; > Microsoft Support <supportm...@microsoft.com> > > Subject: [EXTERNAL] Re: msDS-ExpirePasswordsOnSmartCardOnlyAccounts - > when are passwords rotated? - TrackingID#2404290040010292 > > > > Thanks. I don't see the password being rolled in the nearing expiry > case. Does that happen before or after the ticket is issued? (I > just see a short-life ticket being issued). > > > > > > I will extend my tests to see if it is rolled after the issue of the > ticket, but currently when I check pwdLastSet and the returned NT > password hash, neither have changed in the soon-to-expire case, but > the ticket > lifetime has shortened so we know it really was soon to expire. > > > > > > Andrew Bartlett > > > > > > On Wed, 2024-05-15 at 22:50 +0000, Kristian Smith wrote: > > > Hi Andrew, > > > > > > > > > > > > I have completed my research on this case and have some answers for > > you. > > > > > > > > > > > > Your observation about the DC waiting for the PDC to process is > > accurate. Here are the circumstances for non-PDC's: > > > > > > > > A BDC must send the request to a PDC and wait for a response. If > > the request fails to the PDC, then randomize password locally. > > > > > > An RODC must send the request to a PDC, but optionally request a > > BDC if the PDC call fails. > > > > > > We roll the password in the following circumstances at logon: > > > > > > > > The account has been flagged for a password change at next logon. > > > > > > The password is expired. > > > > > > The password is nearing expiration and validity of that ticket > > would surpass the expiration of the password. > > > > > > If you have any additional questions, please let me know. > > > > > > > > > > > > Regards, > > Kristian Smith > > Support Escalation Engineer | Microsoft® Corporation > > Office phone: +1 425-421-4442 > > Email: > > kristian.sm...@microsoft.com > > > > > > > > > > > > > > From: Kristian Smith <kristian.sm...@microsoft.com> > > > > Sent: Monday, April 29, 2024 11:46 AM > > > > To: Andrew Bartlett <abart...@samba.org> > > > > Cc: cifs-protocol mailing list <cifs-protocol@lists.samba.org>; > > Microsoft Support <supportm...@microsoft.com> > > > > Subject: msDS-ExpirePasswordsOnSmartCardOnlyAccounts - when are > > passwords rotated? - TrackingID#2404290040010292 > > > > > > > > Hi Andrew, > > > > > > > > > > > > I'm creating two new cases for your inquiries. This one will be for > > the following component of your question: > > > > > > > > > > > > "Can you clarify which parts of the AD DC calls > > ResetSmartCardAccountPassword and under what circumstances? Is it > > just the KDC during PK-INIT AS-REQ processing? > > > > > > > > > > > > Is there anything else that rotates these passwords? The reason I > > ask is that this being the only case would suggest that where the > > DC is not the PDC, the PK-INIT AS-REQ processing must wait for the > > PDC before continuing processing. (We know the local case > > does, it gets the new password for return in the PAC)." > > > > > > > > > > > > You will see another email from me soon regarding the other case. I > > will send an update once I have conducted an investigation into > > these concerns. > > > > > > > > > > > > Regards, > > Kristian Smith > > Support Escalation Engineer | Microsoft® Corporation > > Office phone: +1 425-421-4442 > > Email: > > kristian.sm...@microsoft.com > > > > > > > > > > > > > > From: Andrew Bartlett <abart...@samba.org> > > > > Sent: Sunday, April 28, 2024 9:14 PM > > > > To: Kristian Smith <kristian.sm...@microsoft.com> > > > > Cc: cifs-protocol mailing list <cifs-protocol@lists.samba.org>; > > Microsoft Support <supportm...@microsoft.com> > > > > Subject: Re: [EXTERNAL] Protocol documentation for automatic > > rollover of expired passwords with UF_SMARTCARD_REQUIRED - > > TrackingID#2404240040010190 > > > > > > > > > > > > > > > > > > > > You don't often get email from abart...@samba.org. > > Learn why this is important > > > > > > > > > > > > > > Thanks > > Kristian, that is must helpful. > > > > > > > > Can you clarify which parts of the AD DC calls > > ResetSmartCardAccountPassword and under what circumstances? Is it > > just the KDC during PK-INIT AS-REQ processing? > > > > > > > > Is there anything else that rotates these passwords? The reason I > > ask is that this being the only case would suggest that where the > > DC is not the PDC, the PK-INIT AS-REQ processing must wait > > for the PDC before continuing processing. (We know the local case > > does, it gets the new password for return in the PAC). > > > > > > > > Finally, the doc needs some correction, the references to > > pwdLastSet make not sense (it should always be in the past), I > > think a meta-variable for the calculated password expiry is what is > > meant. > > > > > > > > Thanks! > > > > > > > > Andrew Bartlett > > > > > > > > On Thu, 2024-04-25 at 21:41 +0000, Kristian Smith wrote: > > > [Michael to Bcc] > > > > > > > > > > > > > > > > > > Hi Andrew, > > > > > > > > > > > > > > > > > > Thanks for reaching out with your question. The password-rolling > > > attribute you're looking for is "msDS- > > > ExpirePasswordsOnSmartCardOnlyAccounts" > > > > > > > > > > > > > > > > > > It can be found in the following docs: > > > > > > [MS-SAMS] 3.3.5.7.2 Normative Specification > > > > > > [MS-ADA2] 2.319 Attribute msDS- > > > ExpirePasswordsOnSmartCardOnlyAccounts > > > > > > > > > > > > > > > > > > To a lesser extent here as well: > > > > > > [MS-ADSC] 2.44 Class domainDNS > > > > > > > > > > > > > > > > > > Let me know if this answers the question, or if there is anything > > > that can be clarified. > > > > > > > > > > > > > > > > > > Regards, > > > Kristian Smith > > > Support Escalation Engineer | Microsoft® Corporation > > > Office phone: +1 425-421-4442 > > > Email: > > > kristian.sm...@microsoft.com > > > > > > > > > From: Michael Bowen <mike.bo...@microsoft.com> > > > > > > Sent: Wednesday, April 24, 2024 10:39 AM > > > > > > To: Andrew Bartlett <abart...@samba.org> > > > > > > Cc: cifs-protocol mailing list <cifs-protocol@lists.samba.org>; > > > Microsoft Support <supportm...@microsoft.com> > > > > > > Subject: Re: [EXTERNAL] Protocol documentation for automatic > > > rollover of expired passwords with UF_SMARTCARD_REQUIRED - > > > TrackingID#2404240040010190 > > > > > > > > > > > > [Case number in subject] > > > > > > [Casemail to cc] > > > > > > [Dochelp to bcc] > > > > > > > > > > > > Hi Andrew, > > > > > > > > > > > > > > > > > > Thank you for your request. The case number 2404240040010190 has > > > been created for this inquiry. One of our team members will > > > follow up with you soon. > > > > > > > > > > > > > > > > > > Best regards, > > > > > > Mike Bowen > > > > > > Sr. Escalation Engineer - Microsoft® Corporation > > > > > > > > > > > > From: Andrew Bartlett <abart...@samba.org> > > > > > > Sent: Tuesday, April 23, 2024 5:52 PM > > > > > > To: Interoperability Documentation Help <doch...@microsoft.com> > > > > > > Cc: cifs-protocol mailing list <cifs-protocol@lists.samba.org> > > > > > > Subject: [EXTERNAL] Protocol documentation for automatic rollover > > > of expired passwords with UF_SMARTCARD_REQUIRED > > > > > > > > > Kia Ora Dochelp! > > > > > > > > > > > > I'm looking for any documentation as to the finer details of > > > > > > > > > > > > > DCs can support automatic rolling of the NTLM and other > > > > password-based secrets on a user account configured to require > > > > PKI authentication. This configuration is also known as "Smart > > > > card required for interactive logon" > > > > > > > > > > > > from > > > > > > > > > > > > > > > https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/active-directory-functional-levels#windows-server-2016-domain-functional-level-features > > > > > > > > > > > > I don't see any mention of this in MS-ADPS, but am not sure where > > > next to check. > > > > > > > > > > > > In particular, while I have reproduced the rollover for 'must > > > change now', I'm wondering when the password otherwise rolls > > > over, is it before the expiry (eg with the 'old password allowed > > > time' grace of 60mins > > > for example, or at the expiry? > > > > > > > > > > > > Thanks, > > > > > > > > > > > > Andrew Bartlett > > -- > > Andrew Bartlett (he/him) > https://samba.org/~abartlet/ > > Samba Team Member (since 2001) > https://samba.org > > Samba Team Lead > https://catalyst.net.nz/services/samba > > Catalyst.Net Ltd > > > > > > Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group > company > > > > > > Samba Development and Support: > https://catalyst.net.nz/services/samba > > > > > > Catalyst IT - Expert Open Source Solutions > > > > _______________________________________________cifs-protocol mailing > listcifs-proto...@lists.samba.org > https://lists.samba.org/mailman/listinfo/cifs-protocol -- Andrew Bartlett (he/him) https://samba.org/~abartlet/Samba Team Member (since 2001) https://samba.orgSamba Team Lead https://catalyst.net.nz/services/sambaCatalyst.Net Ltd Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group company Samba Development and Support: https://catalyst.net.nz/services/samba Catalyst IT - Expert Open Source Solutions
_______________________________________________ cifs-protocol mailing list cifs-protocol@lists.samba.org https://lists.samba.org/mailman/listinfo/cifs-protocol
