Hi! I had installed samba-3.0.0-2 with openldap-2.1.25 on debian testing with kernel 2.4.23. All the Windows 98, ME, XP, NT, 2000 were able to join the domain as I was able to set the same SID as the previous version of Samba that was installed earlier. The only problem that arised was the Win-98, ME User list problem that was posted on this list at http://lists.samba.org/archive/samba/2003-December/076483.html So, I decided to upgrade the samba version. Now, I've Samba-3.0.2rc2 on the same machine acting as domain controller. Users were not able to login to the domain after the upgrade. The error being NT_STATUS_WRONG_PASSWORD. But when I reset the password using 'smbpasswd' command, they could. On comparing the LDAP attributes of the users whose passwd I had reset and of those I didn't, I observed that when the value of the following three attributes are set to '0'(zero) for a user, he was not able to login: sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange In Samba-3.0.0-2, if these values were set to 0, the user was prompted to change his password at the time of first logon saying that his password has expired. But with Samba-3.0.2rc2, login was not possible. Only on removing these three attributes or resetting their values, which is done by 'smbpasswd', logins were possible. It would be helpful if someone could enlighten me on this issue. Thanks in advance. regards, Nishant -------------------------------------------------------------------------- Nishant Sharma, DeepRoot Linux, Bangalore, India +91(80)28565624, http://www.deeproot.co.in Server Appliances. Solutions. Migration. Community Projects. Getting Linux to work for you. Faster. Better. Today. Everyway -------------------------------------------------------------------------- The intensity of your desires determines the intensity of your success! -Anonymous --------------------------------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 9 Feb 2004, Nishant Sharma wrote:> On comparing the LDAP attributes of the users whose passwd I had reset > and of those I didn't, I observed that when the value of the following > three attributes are set to '0'(zero) for a user, he was not able to > login: sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange > > In Samba-3.0.0-2, if these values were set to 0, the user was prompted > to change his password at the time of first logon saying that his > password has expired. But with Samba-3.0.2rc2, login was not possible. > Only on removing these three attributes or resetting their values, which > is done by 'smbpasswd', logins were possible.The reason for the change is related to the unitialized password issues described in the 3.0.2 release notes. cheers, jerry ---------------------------------------------------------------------- Hewlett-Packard ------------------------- http://www.hp.com SAMBA Team ---------------------- http://www.samba.org GnuPG Key ---- http://www.plainjoe.org/gpg_public.asc "If we're adding to the noise, turn off this song" --Switchfoot (2003) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.0 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQFAKEhfIR7qMdg1EfYRAt+nAJwLBQELbxf/rMKQlokOzYAr0ikGgACg50gz TTo6oh9NtZv3RuB8e9ofw5w=xKOI -----END PGP SIGNATURE-----
On Tue, 2004-02-10 at 02:42, Nishant Sharma wrote:> Hi! >> On comparing the LDAP attributes of the users whose passwd I had reset and > of those I didn't, I observed that when the value of the following > three attributes are set to '0'(zero) for a user, he was not able to > login: > sambaPwdLastSet > sambaPwdCanChange > sambaPwdMustChange > > In Samba-3.0.0-2, if these values were set to 0, the user was prompted to > change his password at the time of first logon saying that his password > has expired. But with Samba-3.0.2rc2, login was not possible. Only on > removing these three attributes or resetting their values, which is done > by 'smbpasswd', logins were possible. > > It would be helpful if someone could enlighten me on this issue. Thanks in > advance.Quite correct. If the password was last set in 1970, then we consider that it might be a bogus password (see the security annoucement about mksmbpasswd.sh for 3.0.2). Either do not set that attribute, or set it to a valid value. (The other values are unaffected). Andrew Bartlett -- Andrew Bartlett abartlet@pcug.org.au Manager, Authentication Subsystems, Samba Team abartlet@samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net http://samba.org http://build.samba.org http://hawkerc.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba/attachments/20040210/8cb4e6d1/attachment.bin