Yudai Yamagishi
2014-10-24 05:42:44 UTC
Hello,
I’m currently having a problem where a non-root user can’t change his/her own
password using smbpasswd command after the password expiration and would
like to know how I could solve this problem.
Currently, I have a samba server running on CentOS 6.5 with its passdb backend
configured to another LDAP server. The samba version I’m currently using is
samba-3.6.9-169 which should be the latest version provided by yum on CentOS 6.
The setup is working perfectly as it should except for the one issue I mentioned above,
which is, an user with expired password cannot change its own password using
smbpasswd command.
I currently have the following samba-related entries in each user in my LDAP database:
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaPwdMustChange: 2147483647
sambaPwdLastSet: 1406347540
Also, I have sambaDomainName=WORKGROUP with entries like the following:
sambaMinPwdAge: 0
sambaPwdHistoryLength: 0
sambaMinPwdLength: 6
sambaLogonToChgPwd: 2
sambaLockoutDuration: 1
sambaMaxPwdAge: 7776000
sambaLockoutObservationWindow: 1
sambaLockoutThreshold: 5
With these settings pdbedit shows the following output:
# pdbedit -u USERNAME -v
Unix username: USERNAME
NT username: USERNAME
Account Flags: [U ]
User SID: **DELETED**
Primary Group SID: **DELETED**
Full Name: USERNAME
Home Directory:
HomeDir Drive: H:
Logon Script: logon.bat
Profile Path:
Domain: WORKGROUP
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: Tue, 19 Jan 2038 12:14:07 JST
Kickoff time: Tue, 19 Jan 2038 12:14:07 JST
Password last set: Sat, 26 Jul 2014 13:05:40 JST
Password can change: Sat, 26 Jul 2014 13:05:40 JST
Password must change: Fri, 24 Oct 2014 13:05:40 JST
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
# pdbedit -P "maximum password age" -v
account policy "maximum password age" description: Maximum password age, in seconds (default: -1 => never expire passwords)
account policy "maximum password age" value is: 7776000
# pdbedit -P "minimum password age" -v
account policy "minimum password age" description: Minimal password age, in seconds (default: 0 => allow immediate password change)
account policy "minimum password age" value is: 0
# pdbedit -P "user must logon to change password" -v
account policy "user must logon to change password" description: Force Users to logon for password change (default: 0 => off, 2 => on)
account policy "user must logon to change password" value is: 2
# pdbedit -P "refuse machine password change" -v
account policy "refuse machine password change" description: Allow Machine Password changes (default: 0 => off)
account policy "refuse machine password change" value is: 0
When I run smbpasswd (smbpasswd -U USERNAME) from a non-root user, it dies with:
SPNEGO login failed: Password expired (shown when -D 10)
cli_init_creds: user domain (shown when -D 10)
Failed to change password!
I can’t paste all the server logs here but the following log seem to be related (log level 50):
[2014/10/24 14:34:08.679682, 5] auth/check_samsec.c:165(logon_hours_ok)
logon_hours_ok: user USERNAME allowed to logon at this time (Fri Oct 24 05:34:08 2014
)
[2014/10/24 14:34:08.679736, 4] smbd/sec_ctx.c:214(push_sec_ctx)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2014/10/24 14:34:08.679773, 4] smbd/uid.c:460(push_conn_ctx)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2014/10/24 14:34:08.679809, 4] smbd/sec_ctx.c:314(set_sec_ctx)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2014/10/24 14:34:08.679845, 5] ../libcli/security/security_token.c:53(security_token_debug)
Security token: (NULL)
[2014/10/24 14:34:08.679881, 5] auth/token_util.c:527(debug_unix_user_token)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2014/10/24 14:34:08.679942, 11] passdb/pdb_ldap.c:4040(ldapsam_get_account_policy)
ldapsam_get_account_policy: got valid value from cache
[2014/10/24 14:34:08.679982, 4] smbd/sec_ctx.c:422(pop_sec_ctx)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2014/10/24 14:34:08.680020, 1] auth/check_samsec.c:224(sam_account_ok)
sam_account_ok: Account for user 'USERNAME' password expired!
[2014/10/24 14:34:08.680062, 1] auth/check_samsec.c:225(sam_account_ok)
sam_account_ok: Password expired at 'Fri, 24 Oct 2014 13:05:40 JST' (1414123540) unix time.
[2014/10/24 14:34:08.680108, 5] auth/auth.c:271(check_ntlm_password)
check_ntlm_password: sam authentication for user [USERNAME] FAILED with error NT_STATUS_PASSWORD_EXPIRED
[2014/10/24 14:34:08.680152, 10] auth/auth_winbind.c:50(check_winbind_security)
Check auth for: [USERNAME]
[2014/10/24 14:34:08.680188, 3] auth/auth_winbind.c:60(check_winbind_security)
check_winbind_security: Not using winbind, requested domain [WORKGROUP] was for this SAM.
[2014/10/24 14:34:08.680223, 10] auth/auth.c:259(check_ntlm_password)
check_ntlm_password: winbind had nothing to say
[2014/10/24 14:34:08.680260, 2] auth/auth.c:319(check_ntlm_password)
check_ntlm_password: Authentication for user [USERNAME] -> [USERNAME] FAILED with error NT_STATUS_PASSWORD_EXPIRED
[2014/10/24 14:34:08.680306, 3] smbd/error.c:81(error_packet_set)
error packet at smbd/sesssetup.c(124) cmd=115 (SMBsesssetupX) NT_STATUS_PASSWORD_EXPIRED
The issue I’m having sounds like the bug mentioned in the bug report below:
https://bugzilla.samba.org/show_bug.cgi?id=4085
However, since I am running a version which should have the patch applied,
I don’t think this bug applies to my case.
So, can anyone shed some light on what’s going on here?
Best Regards,
Yudai Yamagishi
I’m currently having a problem where a non-root user can’t change his/her own
password using smbpasswd command after the password expiration and would
like to know how I could solve this problem.
Currently, I have a samba server running on CentOS 6.5 with its passdb backend
configured to another LDAP server. The samba version I’m currently using is
samba-3.6.9-169 which should be the latest version provided by yum on CentOS 6.
The setup is working perfectly as it should except for the one issue I mentioned above,
which is, an user with expired password cannot change its own password using
smbpasswd command.
I currently have the following samba-related entries in each user in my LDAP database:
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaPwdMustChange: 2147483647
sambaPwdLastSet: 1406347540
Also, I have sambaDomainName=WORKGROUP with entries like the following:
sambaMinPwdAge: 0
sambaPwdHistoryLength: 0
sambaMinPwdLength: 6
sambaLogonToChgPwd: 2
sambaLockoutDuration: 1
sambaMaxPwdAge: 7776000
sambaLockoutObservationWindow: 1
sambaLockoutThreshold: 5
With these settings pdbedit shows the following output:
# pdbedit -u USERNAME -v
Unix username: USERNAME
NT username: USERNAME
Account Flags: [U ]
User SID: **DELETED**
Primary Group SID: **DELETED**
Full Name: USERNAME
Home Directory:
HomeDir Drive: H:
Logon Script: logon.bat
Profile Path:
Domain: WORKGROUP
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: Tue, 19 Jan 2038 12:14:07 JST
Kickoff time: Tue, 19 Jan 2038 12:14:07 JST
Password last set: Sat, 26 Jul 2014 13:05:40 JST
Password can change: Sat, 26 Jul 2014 13:05:40 JST
Password must change: Fri, 24 Oct 2014 13:05:40 JST
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
# pdbedit -P "maximum password age" -v
account policy "maximum password age" description: Maximum password age, in seconds (default: -1 => never expire passwords)
account policy "maximum password age" value is: 7776000
# pdbedit -P "minimum password age" -v
account policy "minimum password age" description: Minimal password age, in seconds (default: 0 => allow immediate password change)
account policy "minimum password age" value is: 0
# pdbedit -P "user must logon to change password" -v
account policy "user must logon to change password" description: Force Users to logon for password change (default: 0 => off, 2 => on)
account policy "user must logon to change password" value is: 2
# pdbedit -P "refuse machine password change" -v
account policy "refuse machine password change" description: Allow Machine Password changes (default: 0 => off)
account policy "refuse machine password change" value is: 0
When I run smbpasswd (smbpasswd -U USERNAME) from a non-root user, it dies with:
SPNEGO login failed: Password expired (shown when -D 10)
cli_init_creds: user domain (shown when -D 10)
Failed to change password!
I can’t paste all the server logs here but the following log seem to be related (log level 50):
[2014/10/24 14:34:08.679682, 5] auth/check_samsec.c:165(logon_hours_ok)
logon_hours_ok: user USERNAME allowed to logon at this time (Fri Oct 24 05:34:08 2014
)
[2014/10/24 14:34:08.679736, 4] smbd/sec_ctx.c:214(push_sec_ctx)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2014/10/24 14:34:08.679773, 4] smbd/uid.c:460(push_conn_ctx)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2014/10/24 14:34:08.679809, 4] smbd/sec_ctx.c:314(set_sec_ctx)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2014/10/24 14:34:08.679845, 5] ../libcli/security/security_token.c:53(security_token_debug)
Security token: (NULL)
[2014/10/24 14:34:08.679881, 5] auth/token_util.c:527(debug_unix_user_token)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2014/10/24 14:34:08.679942, 11] passdb/pdb_ldap.c:4040(ldapsam_get_account_policy)
ldapsam_get_account_policy: got valid value from cache
[2014/10/24 14:34:08.679982, 4] smbd/sec_ctx.c:422(pop_sec_ctx)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2014/10/24 14:34:08.680020, 1] auth/check_samsec.c:224(sam_account_ok)
sam_account_ok: Account for user 'USERNAME' password expired!
[2014/10/24 14:34:08.680062, 1] auth/check_samsec.c:225(sam_account_ok)
sam_account_ok: Password expired at 'Fri, 24 Oct 2014 13:05:40 JST' (1414123540) unix time.
[2014/10/24 14:34:08.680108, 5] auth/auth.c:271(check_ntlm_password)
check_ntlm_password: sam authentication for user [USERNAME] FAILED with error NT_STATUS_PASSWORD_EXPIRED
[2014/10/24 14:34:08.680152, 10] auth/auth_winbind.c:50(check_winbind_security)
Check auth for: [USERNAME]
[2014/10/24 14:34:08.680188, 3] auth/auth_winbind.c:60(check_winbind_security)
check_winbind_security: Not using winbind, requested domain [WORKGROUP] was for this SAM.
[2014/10/24 14:34:08.680223, 10] auth/auth.c:259(check_ntlm_password)
check_ntlm_password: winbind had nothing to say
[2014/10/24 14:34:08.680260, 2] auth/auth.c:319(check_ntlm_password)
check_ntlm_password: Authentication for user [USERNAME] -> [USERNAME] FAILED with error NT_STATUS_PASSWORD_EXPIRED
[2014/10/24 14:34:08.680306, 3] smbd/error.c:81(error_packet_set)
error packet at smbd/sesssetup.c(124) cmd=115 (SMBsesssetupX) NT_STATUS_PASSWORD_EXPIRED
The issue I’m having sounds like the bug mentioned in the bug report below:
https://bugzilla.samba.org/show_bug.cgi?id=4085
However, since I am running a version which should have the patch applied,
I don’t think this bug applies to my case.
So, can anyone shed some light on what’s going on here?
Best Regards,
Yudai Yamagishi
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.o
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.o