Hello, Some users in my domain report that they have to use different (old) passwords on different computers. They say that they still have to use their "old" passwords after they changed it. My domain setup is that users are asked to automatically change their password on Windows 7 Enterprise after some months. So they have to do that. Otherwise they cannot login. But why is it, that the old password is still requested on some computers? Can this happen, when users do not turn off Windows 7 computers (are still logged in on the PC where they changed the passwort) and switch to other computers? I looked in all relevant logs in /var/log, auth.log and in all logs in directory samba. I cannot even find ANY information for user authentication. Where to look? Which log is relevant? How to rise the log level? I run a Samba Active Directory DC 4.1.17 on Debian Jessie. I attached some logs to the mail how /var/log looks ... hardly any looging except for startups and shutdowns of samba. I restartet samba and attached the logs. How to monitor this problem? Any help why this happens is much appreciated. KR, birgit /var/log/samba 20:50:33 # ls -la insgesamt 76 drwxr-x--- 3 root adm 4096 Feb 3 06:25 . drwxr-xr-x 9 root root 4096 Feb 4 06:25 .. drwx------ 4 root root 4096 Okt 4 19:59 cores -rw-r--r-- 1 root root 0 Okt 4 19:59 log. -rw-r--r-- 1 root root 0 Okt 11 06:25 log.nmbd -rw-r--r-- 1 root root 373 Okt 4 22:36 log.nmbd.1.gz -rw-r--r-- 1 root root 47049 Feb 4 20:49 log.samba -rw-r--r-- 1 root root 829 Feb 4 20:50 log.smbd -rw-r--r-- 1 root root 394 Feb 2 17:46 log.smbd.1 more log.smbd [2016/02/04 20:49:56, 0] ../source3/smbd/server.c:1189(main) smbd version 4.1.17-Debian started. Copyright Andrew Tridgell and the Samba Team 1992-2013 [2016/02/04 20:49:56.632305, 0] ../lib/util/become_daemon.c:136(daemon_ready) STATUS=daemon 'smbd' finished starting up and ready to serve connectionsUnable to connect to CUPS server localhost:631 - Ungültiger Dateideskriptor STATUS=daemon 'smbd' finished starting up and ready to serve connectionsfailed to retrieve printer list: NT_STATUS_UNSUCCESSFUL [2016/02/04 20:50:56.705359, 0] ../source3/printing/print_cups.c:151(cups_connect) Unable to connect to CUPS server localhost:631 - Ungültiger Dateideskriptor [2016/02/04 20:50:56.705745, 0] ../source3/printing/print_cups.c:528(cups_async_callback) failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL more samba.log [2016/02/04 20:49:55.974285, 0] ../source4/smbd/server.c:370(binary_smbd_main) samba version 4.1.17-Debian started. Copyright Andrew Tridgell and the Samba Team 1992-2013 [2016/02/04 20:49:56.170079, 0] ../source4/smbd/server.c:488(binary_smbd_main) samba: using 'standard' process model samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor. samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor. samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor. samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor. samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor. samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor. samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor. samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor. samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor. [2016/02/04 20:49:56.217188, 0] ../lib/util/become_daemon.c:136(daemon_ready) samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor. samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor. samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor. samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor.
On 04/02/16 20:02, oeh univie edv lists wrote:> Hello, > > Some users in my domain report that they have to use different (old) > passwords on different computers. They say that they still have to use > their "old" passwords after they changed it. My domain setup is that users > are asked to automatically change their password on Windows 7 Enterprise > after some months. So they have to do that. Otherwise they cannot login. > But why is it, that the old password is still requested on some computers? > Can this happen, when users do not turn off Windows 7 computers (are still > logged in on the PC where they changed the passwort) and switch to other > computers? > > I looked in all relevant logs in /var/log, auth.log and in all logs in > directory samba. I cannot even find ANY information for user > authentication. Where to look? Which log is relevant? How to rise the log > level? > > I run a Samba Active Directory DC 4.1.17 on Debian Jessie. > > I attached some logs to the mail how /var/log looks ... hardly any looging > except for startups and shutdowns of samba. I restartet samba and attached > the logs. How to monitor this problem? > > Any help why this happens is much appreciated. > > KR, birgit > > > > > /var/log/samba > 20:50:33 # ls -la > insgesamt 76 > drwxr-x--- 3 root adm 4096 Feb 3 06:25 . > drwxr-xr-x 9 root root 4096 Feb 4 06:25 .. > drwx------ 4 root root 4096 Okt 4 19:59 cores > -rw-r--r-- 1 root root 0 Okt 4 19:59 log. > -rw-r--r-- 1 root root 0 Okt 11 06:25 log.nmbd > -rw-r--r-- 1 root root 373 Okt 4 22:36 log.nmbd.1.gz > -rw-r--r-- 1 root root 47049 Feb 4 20:49 log.samba > -rw-r--r-- 1 root root 829 Feb 4 20:50 log.smbd > -rw-r--r-- 1 root root 394 Feb 2 17:46 log.smbd.1 > > > more log.smbd > [2016/02/04 20:49:56, 0] ../source3/smbd/server.c:1189(main) > smbd version 4.1.17-Debian started. > Copyright Andrew Tridgell and the Samba Team 1992-2013 > [2016/02/04 20:49:56.632305, 0] > ../lib/util/become_daemon.c:136(daemon_ready) > STATUS=daemon 'smbd' finished starting up and ready to serve > connectionsUnable to connect to CUPS server localhost:631 - Ungültiger > Dateideskriptor > STATUS=daemon 'smbd' finished starting up and ready to serve > connectionsfailed to retrieve printer list: NT_STATUS_UNSUCCESSFUL > [2016/02/04 20:50:56.705359, 0] > ../source3/printing/print_cups.c:151(cups_connect) > Unable to connect to CUPS server localhost:631 - Ungültiger > Dateideskriptor > [2016/02/04 20:50:56.705745, 0] > ../source3/printing/print_cups.c:528(cups_async_callback) > failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL > > more samba.log > [2016/02/04 20:49:55.974285, 0] > ../source4/smbd/server.c:370(binary_smbd_main) > samba version 4.1.17-Debian started. > Copyright Andrew Tridgell and the Samba Team 1992-2013 > [2016/02/04 20:49:56.170079, 0] > ../source4/smbd/server.c:488(binary_smbd_main) > samba: using 'standard' process model > samba: setproctitle not initialized, please either call > setproctitle_init() or link against libbsd-ctor. > samba: setproctitle not initialized, please either call > setproctitle_init() or link against libbsd-ctor. > samba: setproctitle not initialized, please either call > setproctitle_init() or link against libbsd-ctor. > samba: setproctitle not initialized, please either call > setproctitle_init() or link against libbsd-ctor. > samba: setproctitle not initialized, please either call > setproctitle_init() or link against libbsd-ctor. > samba: setproctitle not initialized, please either call > setproctitle_init() or link against libbsd-ctor. > samba: setproctitle not initialized, please either call > setproctitle_init() or link against libbsd-ctor. > samba: setproctitle not initialized, please either call > setproctitle_init() or link against libbsd-ctor. > samba: setproctitle not initialized, please either call > setproctitle_init() or link against libbsd-ctor. > [2016/02/04 20:49:56.217188, 0] > ../lib/util/become_daemon.c:136(daemon_ready) > samba: setproctitle not initialized, please either call > setproctitle_init() or link against libbsd-ctor. > samba: setproctitle not initialized, please either call > setproctitle_init() or link against libbsd-ctor. > samba: setproctitle not initialized, please either call > setproctitle_init() or link against libbsd-ctor. > samba: setproctitle not initialized, please either call > setproctitle_init() or link against libbsd-ctor. > > > >If a password is changed but the old password still works on *some* windows machines, then this is very probably not a Samba problem, it could in fact be a windows 'feature', see here: https://support.microsoft.com/en-us/kb/906305 Rowland
Hello, In what samba version is parameter "old password allowed period" introduced? This parameter seems be the remedy to my problem but I cannot find it with "testparm -v | grep password" or in my "man smb.conf" Does it even exist in 4.1.17 (just the regular debian package)? In this document it says it is for samba version 4: https://www.mankier.com/5/smb.conf I found this where the parameter is introduced: https://jelmer.uk/klaus/samba/commit/9d5f4cabf3f491fd1c22dbc1daaad8a657d12914/ Is there an easy solution to use this paramter in 4.1.17? I set "Enforce Password History" to value "0" in the GPO. Login with the previous old password is no longer possible BUT I cannot change the new password to any old passwords. That should be possible with no history, shouldn't it? I tried it several times. Somehow the password history still works regarding that. But why? I moved gencache.tdb in /var/cache/samba to oldgenchache.tdb but still the same behaviour... I restarted samba... Why does the password history still work? Where does Samba store the password history? This behaviour is perfect for what I want, but there is no logic in it. There must be some lack of understanding here... And for what reasons should one want a 60 minutes permit on NTLM login after a password change anyway? kind regards, birgit Rowland penny <rpenny at samba.org> schreibt:>On 04/02/16 20:02, oeh univie edv lists wrote: >> Hello, >> >> Some users in my domain report that they have to use different (old) >> passwords on different computers. They say that they still have to use >> their "old" passwords after they changed it. My domain setup is that >users >> are asked to automatically change their password on Windows 7 Enterprise >> after some months. So they have to do that. Otherwise they cannot login. >> But why is it, that the old password is still requested on some >computers? >> Can this happen, when users do not turn off Windows 7 computers (are >still >> logged in on the PC where they changed the passwort) and switch to other >> computers? >> >> I looked in all relevant logs in /var/log, auth.log and in all logs in >> directory samba. I cannot even find ANY information for user >> authentication. Where to look? Which log is relevant? How to rise the >log >> level? >> >> I run a Samba Active Directory DC 4.1.17 on Debian Jessie. >> >> I attached some logs to the mail how /var/log looks ... hardly any >looging >> except for startups and shutdowns of samba. I restartet samba and >attached >> the logs. How to monitor this problem? >> >> Any help why this happens is much appreciated. >> >> KR, birgit >> >> >> >> >> /var/log/samba >> 20:50:33 # ls -la >> insgesamt 76 >> drwxr-x--- 3 root adm 4096 Feb 3 06:25 . >> drwxr-xr-x 9 root root 4096 Feb 4 06:25 .. >> drwx------ 4 root root 4096 Okt 4 19:59 cores >> -rw-r--r-- 1 root root 0 Okt 4 19:59 log. >> -rw-r--r-- 1 root root 0 Okt 11 06:25 log.nmbd >> -rw-r--r-- 1 root root 373 Okt 4 22:36 log.nmbd.1.gz >> -rw-r--r-- 1 root root 47049 Feb 4 20:49 log.samba >> -rw-r--r-- 1 root root 829 Feb 4 20:50 log.smbd >> -rw-r--r-- 1 root root 394 Feb 2 17:46 log.smbd.1 >> >> >> more log.smbd >> [2016/02/04 20:49:56, 0] ../source3/smbd/server.c:1189(main) >> smbd version 4.1.17-Debian started. >> Copyright Andrew Tridgell and the Samba Team 1992-2013 >> [2016/02/04 20:49:56.632305, 0] >> ../lib/util/become_daemon.c:136(daemon_ready) >> STATUS=daemon 'smbd' finished starting up and ready to serve >> connectionsUnable to connect to CUPS server localhost:631 - Ungültiger >> Dateideskriptor >> STATUS=daemon 'smbd' finished starting up and ready to serve >> connectionsfailed to retrieve printer list: NT_STATUS_UNSUCCESSFUL >> [2016/02/04 20:50:56.705359, 0] >> ../source3/printing/print_cups.c:151(cups_connect) >> Unable to connect to CUPS server localhost:631 - Ungültiger >> Dateideskriptor >> [2016/02/04 20:50:56.705745, 0] >> ../source3/printing/print_cups.c:528(cups_async_callback) >> failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL >> >> more samba.log >> [2016/02/04 20:49:55.974285, 0] >> ../source4/smbd/server.c:370(binary_smbd_main) >> samba version 4.1.17-Debian started. >> Copyright Andrew Tridgell and the Samba Team 1992-2013 >> [2016/02/04 20:49:56.170079, 0] >> ../source4/smbd/server.c:488(binary_smbd_main) >> samba: using 'standard' process model >> samba: setproctitle not initialized, please either call >> setproctitle_init() or link against libbsd-ctor. >> samba: setproctitle not initialized, please either call >> setproctitle_init() or link against libbsd-ctor. >> samba: setproctitle not initialized, please either call >> setproctitle_init() or link against libbsd-ctor. >> samba: setproctitle not initialized, please either call >> setproctitle_init() or link against libbsd-ctor. >> samba: setproctitle not initialized, please either call >> setproctitle_init() or link against libbsd-ctor. >> samba: setproctitle not initialized, please either call >> setproctitle_init() or link against libbsd-ctor. >> samba: setproctitle not initialized, please either call >> setproctitle_init() or link against libbsd-ctor. >> samba: setproctitle not initialized, please either call >> setproctitle_init() or link against libbsd-ctor. >> samba: setproctitle not initialized, please either call >> setproctitle_init() or link against libbsd-ctor. >> [2016/02/04 20:49:56.217188, 0] >> ../lib/util/become_daemon.c:136(daemon_ready) >> samba: setproctitle not initialized, please either call >> setproctitle_init() or link against libbsd-ctor. >> samba: setproctitle not initialized, please either call >> setproctitle_init() or link against libbsd-ctor. >> samba: setproctitle not initialized, please either call >> setproctitle_init() or link against libbsd-ctor. >> samba: setproctitle not initialized, please either call >> setproctitle_init() or link against libbsd-ctor. >> >> >> >> > >If a password is changed but the old password still works on *some* >windows machines, then this is very probably not a Samba problem, it >could in fact be a windows 'feature', see here: > >https://support.microsoft.com/en-us/kb/906305 > >Rowland > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/sambathank you! I found "Enforce Password History" in the GPO. It is set to 24 per default, so that the password has to be changed to 24 new passwords before an old password can be changed to again... but to disable that means that users can reuse their old password immediatley if they are prompted for a new one... yet it is also annoying that the old ones are still valid... I'd rather change the OldPasswordAllowedPeriod. But I do not know how to do that...