Users unable to change password Active Directory/LDAP

tom442 · January 4, 2019, 9:36am

Support intro

Sorry to hear you’re facing problems

help.nextcloud.com is for home/non-enterprise users. If you’re running a business, paid support can be accessed via portal.nextcloud.com where we can ensure your business keeps running smoothly.

In order to help you as quickly as possible, before clicking Create Topic please provide as much of the below as you can. Feel free to use a pastebin service for logs, otherwise either indent short log examples with four spaces:

example

Or for longer, use three backticks above and below the code snippet:

longer
example
here

Some or all of the below information will be requested if it isn’t supplied; for fastest response please provide as much as you can

Nextcloud version (eg, 12.0.2): 15.0.0
Operating system and version (eg, Ubuntu 17.04): CentOS 7.6
Apache or nginx version (eg, Apache 2.4.25): Nginx 1.14
PHP version (eg, 7.1): 7.3.0

Hi all,

We have a small deployment that I have recently reconfigured to authenticate against ActiveDirectory (Nethserver Samba4) - this is a fresh install and all appears to be working well apart from password resets.

I have followed the tutorial and have set the ‘dSHeuristics’ bit accordingly and have allowed the LDAP user (set in the main settings page) to allow password changes.

I am able to change the password for users from the Admin, Users page and also users are able to reset their password using the forgotten password link on the login page, what they can’t do (and the issue) is to reset it from their Settings page.

When a user enters their old password and new password (it definitely meets the min password complexity requirements) it just displays a red box and the words “Incorrect password”.

When I access the AD manager, I see a write/change attempt has been made to the user account as the ‘modified’ time is exactly the same time as I get the following error in the log:

Warning	  core	  Login failed: '26XXX39B-3637-4E74-A433-A0AXXXXXX835' (Remote IP: 'XX.XX.XX.XX')

My LDAP scheme is as follows (some redacted)

Login attributes
(&(((memberof=CN=Nextcloud_Allow,OU=Nextcloud,OU=Groups,OU=COMPANY,DC=example,DC=example,DC=example)(primaryGroupID=0000)))(|(samaccountname=%uid)(|(mailPrimaryAddress=%uid)(mail=%uid))))

I followed this request: Ldap integration and password change, which seemed to be unresolved and added (entryUUID=%uid) to the end of the schema, but this didn’t work.

The allow users to change password is selected in the Advanced section of the LDAP plugin.

Any pointers would be greatly appreciated

tom442 · January 6, 2019, 5:04pm

Bump.

Any pointers appreciated!

Thanks

tom442 · January 8, 2019, 9:09am

Bump. Any pointers please

Dreamteam · February 16, 2019, 7:41pm

Have you been able to resolve this? I am experiencing the exact same issue.

I have modified dSheuristics, delegated user account change, password change to the ldap bind user. Enabled SSL/LDAPS.
I cannot change the password via admin page, reset link or in user control panel.

johnripper · April 27, 2019, 9:57am

exact same problem here.
LDAPS enabled, including usage of personal CA
dSHeuristics set
ldap bind user is in Domain-Admin Group

johnripper · April 27, 2019, 10:17am

Oh and I think with active directory entryUUID=%uid should be “objectGUID=%uid”, but that doesn’t work either

johnripper · May 4, 2019, 3:42pm

Okay I did some more testing and I think the problem is not related to the change pw function but a login issue. As indicated by the logs.

As login attributes i entered/enabled “objectGUID=%uid" as well as several other individual attributes, like “sAMAccountName”, “mail” and “userPrincipalName”.
All these attributes work as username for login and refer to the correct user, beside the objectGUID. Even with the correct objectGUID as user and password in the login page, I get a username/password wrong error.
So, IMHO, the pw change service is unable to login to the AD while using the objectGUID for login.

Would be happy if someone can verify.

Sorsby · October 24, 2019, 3:22pm

I found the following guide written by Dr. Kiljan is quite useful for setting up the samba4 ad to work with nextcloud.

As Kiljan states, the following samba command allow a user with particular to do plain text password changes inside an predefined OU container. Don’t split the command into different lines, run it in a single line. Otherwise python will give you errors.

samba-tool dsacl set --action=allow --objectdn='OU=Web Hosting,DC=ad,DC=example,DC=com' --sddl="(OA;CIIO;CR;00299570-246d-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2; <objectSid>)"

In this example, the reset password should work for the users inside “Web Hosting” OU.

Adding “objectGUID=%uid” to the “Login Attributes” actually fixes the change password problem in the individual user setting page.
If you still can not change password, for debug purpose, you could use domain administrator under the nextcloud LDAP / AD integration setting. When I try that, admin account is powerful enough to change/reset the password without any samba-tool stuff.

milli-hard · November 18, 2019, 1:18am

Thank you sooooooooooo much! I’ve been investigating for so long, and combination of all the above helped me with similar problem (on my Ubuntu 18.04.3, Samba 4.7.6 as AD DC, Nextcloud 17. 0.1 with PHP 7.2.24 on apache2). Especially Dr. Kiljan’s article helped, and it is the best Samba AD howto I’ve seen, so it’s a pitty I haven’t encountered it earlier - and thanks a lot for giving that link!

So first, I confirm that for me it appears to be some bug in nextcloud - that for a password change operation, nextcloud searches the user by UUID, but using configured attributes (name/email). This wrong ldap search filter being used I saw in /var/log/samba/log.samba (which I configured by putting “log level = 5 auth:5” into smb.conf). And the message on nextcloud password change webpage was “Wrong password”.

So adding objectGUID to the “login attributes” helped here - now the user was at least found in AD. But beware that you might need some other attribute than objectGUID - e.g. if you’re using some other LDAP than Samba AD. You can e.g. try ‘uid’ or one of [‘entryuuid’, ‘nsuniqueid’, ‘objectguid’, ‘guid’, ‘ipauniqueid’] that are mentioned in nextcloud/apps/user_ldap/lib/Access.php

But the problem changed to another, with a message “Unable to change password” (what’s interesting, Nextcloud sent an email notification anyway, stating to the user that their password has just been changed - but still the old password was set).

So, secondly, the LDAP user dedicated to nextcloud integration could not reset password, but the “domain administrator” seemed to be able. So for the dedicated nextcloud user, I added permission to reset passwords (but via RSAT), and still it did not work. I am not sure if I tried to add this user to Administrators and/or Domain Admins groups. But when I changed the dSHeuristics setting using ldbedit (apt install ldb-tools) - just as Dr. Kiljan wrote - then password changing by a nextcloud user finally worked!

What’s iteresting, it even works over unencrypted connection (ldap server require strong auth = no # this setting perhaps needs whole machine reboot), so I guess TLS is not a problem here.

mnoureldin · September 21, 2021, 12:49am

Your answer helped me to get it working!!! Thanks a lot! The critical part to know in Active Directory is:

Allow user password change over LDAP

Front end applications can use LDAP as a back end authentication server. Some of these applications also allow authenticated users to change their passwords.

AD allows password changes by manipulating the unicodePwd attribute of an account. Web applications such as Nextcloud only support password changes through manipulation of the more LDAP common userPassword attribute. By default the latter is not allowed in AD. This can be overridden by modifying the dSHeuristics attribute. Specifically, the fUserPwdSupport heuristic must be set to true. To do this, run:

ldbedit -e nano -H /var/lib/samba/private/sam.ldb \
  -b 'CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=ad,DC=example,DC=com' \
  '(objectClass=ntDSService)'

Add the following line to the bottom and save:

dSHeuristics: 000000001

This will set the 9th heuristic of dSHeuristics, fUserPwdSupport, to true.

Password changes are only allowed over secure connections, which is why TLS support for LDAP connections was enabled earlier.

And here is the GUI version of the explanation:

https://ldapwiki.com/wiki/Enable%20UserPassword%20in%20Microsoft%20Active%20Directory

You just need to know that you need to set that hidden bit.

Cheers

chrissi55 · September 21, 2021, 9:58am

So i double checked my settings here:
https://ldapwiki.com/wiki/Enable%20UserPassword%20in%20Microsoft%20Active%20Directory

and i have dsHeuristics set to 000000001 and updated my Schema but without good effect.

Trying to change the value in nextcloud for personally pw changes don’t let my testuser (AD member) change the password via LDAP.
I still get the error message “Password couldn’t be changed”

Testing with “explicitly wrong oldPassword” i get “wrong password”, so a kind of connection should be there.

I do not have a samba 4.x server so i can’t use or modify the option “fUserPwdSupport” but only set my dSHeuristics attribute to the value above, right?

Each try of a pwd change has been quitet with an change email → so nextcloud informs about pw change but didn’t do that in AD.

Does anybody know a PowerShell command to check weather fUserPwdSupport is TRUE or FALSE?