samba - Oct 2006 - Windows client does not recognize password change...

Hello!


SuSE Linux 10.0
Samba 3.0.20b
OpenLDAP backend
IDEALX scripts v0.9.2
Windows XP SP2 client

Everything seems to be working except when changing your password from 
the Windows client (CTRL-ALT-DEL and "Change password"). When I try to
change the password I get the following error message.

"The User name or old password is incorrect. Letters in passwords must 
be typed using the correct case."

But the kicker is that the PDC *did* change both Linux and Windows 
passwords; the client machine is saying there's an error when the 
password was changed.

According to the log file for the machine, it looks like it may have 
failed because it couldn't find the "sambaPwdMustChange"
attribute. But
using a LDAP browser, I see that the "sambaPwdMustChange" is there.

Any suggestions on how to fix this or what the problem may be?


Thank you!

Jason


[2006/10/04 13:13:00, 5] 
passdb/secrets.c:secrets_fetch_trusted_domain_password(325)
   secrets_fetch failed!
[2006/10/04 13:13:11, 2] passdb/pdb_ldap.c:init_sam_from_ldap(499)
   init_sam_from_ldap: Entry found for user: jason
[2006/10/04 13:13:11, 7] passdb/login_cache.c:login_cache_read(83)
   Looking up login cache for user jason
[2006/10/04 13:13:11, 7] passdb/login_cache.c:login_cache_read(97)
   No cache entry found
[2006/10/04 13:13:11, 2] passdb/pdb_ldap.c:init_sam_from_ldap(499)
   init_sam_from_ldap: Entry found for user: jason
[2006/10/04 13:13:11, 7] passdb/login_cache.c:login_cache_read(83)
   Looking up login cache for user jason
[2006/10/04 13:13:11, 7] passdb/login_cache.c:login_cache_read(97)
   No cache entry found
[2006/10/04 13:13:12, 4] passdb/pdb_ldap.c:ldapsam_update_sam_account(1714)
   ldapsam_update_sam_account: user jason to be modified has dn: 
uid=jason,ou=People,dc=amiwest,dc=com
[2006/10/04 13:13:12, 2] passdb/pdb_ldap.c:init_ldap_from_sam(926)
   init_ldap_from_sam: Setting entry for user: jason
[2006/10/04 13:13:12, 1] passdb/pdb_ldap.c:ldapsam_modify_entry(1516)
   ldapsam_modify_entry: Failed to modify user dn= 
uid=jason,ou=People,dc=amiwest,dc=com with: No such attribute
         modify/delete: sambaPwdMustChange: no such value
[2006/10/04 13:13:12, 0] passdb/pdb_ldap.c:ldapsam_update_sam_account(1741)
   ldapsam_update_sam_account: failed to modify user with uid = jason, 
error: modify/delete: sambaPwdMustChange: no such value (Success)
[2006/10/04 13:13:12, 2] passdb/pdb_ldap.c:init_sam_from_ldap(499)
   init_sam_from_ldap: Entry found for user: jason
[2006/10/04 13:13:12, 7] passdb/login_cache.c:login_cache_read(83)
   Looking up login cache for user jason
[2006/10/04 13:13:12, 7] passdb/login_cache.c:login_cache_read(97)
   No cache entry found
[2006/10/04 13:13:12, 0] libsmb/smbencrypt.c:decode_pw_buffer(540)
   decode_pw_buffer: incorrect password length (190012133).
[2006/10/04 13:13:12, 0] libsmb/smbencrypt.c:decode_pw_buffer(541)
   decode_pw_buffer: check that 'encrypt passwords = yes'


dn: uid=jason,ou=People,dc=amiwest,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
objectClass: sambaSamAccount
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
displayName: Jason Shaw
sambaPasswordHistory: 
00000000000000000000000000000000000000000000000000000000
  00000000
sambaPwdCanChange: 2
sambaAcctFlags: [UX]
sambaPwdLastSet: 1159992792
sambaPwdMustChange: 1163880792
modifiersName: cn=Manager,dc=amiwest,dc=com
modifyTimestamp: 20061004201312Z
(some stuff cut)


/etc/openldap/slapd.conf:
access to 
attr=userPassword,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaPwdMustChange
         by self write
         by * auth


/etc/samba/smb.conf:
[global]
         enable privileges = Yes
         username map = /etc/samba/smbusers
         unix password sync = Yes
         passwd program = /opt/IDEALX/sbin/smbldap-passwd %u
         passwd chat = *New*password* %n\n *Retype*new*password* %n\n
         passwd chat debug = Yes
         encrypt passwords = Yes
         log level = 1 passdb:7
         ldap passwd sync = Yes

Hello,


Does anyone have any suggestions on how I might troubleshoot this issue? 
I haven't heard any suggestions and I'd really like to solve this.

I've googled this and every email that has the same "No such attribute
-
modify/delete: sambaPwdMustChange" error message has no response to it.

So, if anyone has any suggestions, I'm all ears!


Thank you,

Jason

Jason Shaw wrote:
> Hello!
> 
> 
> SuSE Linux 10.0
> Samba 3.0.20b
> OpenLDAP backend
> IDEALX scripts v0.9.2
> Windows XP SP2 client
> 
> Everything seems to be working except when changing your password from 
> the Windows client (CTRL-ALT-DEL and "Change password"). When I
try to
> change the password I get the following error message.
> 
> "The User name or old password is incorrect. Letters in passwords must
> be typed using the correct case."
> 
> But the kicker is that the PDC *did* change both Linux and Windows 
> passwords; the client machine is saying there's an error when the 
> password was changed.
> 
> According to the log file for the machine, it looks like it may have 
> failed because it couldn't find the "sambaPwdMustChange"
attribute. But
> using a LDAP browser, I see that the "sambaPwdMustChange" is
there.
> 
> Any suggestions on how to fix this or what the problem may be?
> 
> 
> Thank you!
> 
> Jason
> 
> 
> [2006/10/04 13:13:00, 5] 
> passdb/secrets.c:secrets_fetch_trusted_domain_password(325)
>   secrets_fetch failed!
> [2006/10/04 13:13:11, 2] passdb/pdb_ldap.c:init_sam_from_ldap(499)
>   init_sam_from_ldap: Entry found for user: jason
> [2006/10/04 13:13:11, 7] passdb/login_cache.c:login_cache_read(83)
>   Looking up login cache for user jason
> [2006/10/04 13:13:11, 7] passdb/login_cache.c:login_cache_read(97)
>   No cache entry found
> [2006/10/04 13:13:11, 2] passdb/pdb_ldap.c:init_sam_from_ldap(499)
>   init_sam_from_ldap: Entry found for user: jason
> [2006/10/04 13:13:11, 7] passdb/login_cache.c:login_cache_read(83)
>   Looking up login cache for user jason
> [2006/10/04 13:13:11, 7] passdb/login_cache.c:login_cache_read(97)
>   No cache entry found
> [2006/10/04 13:13:12, 4] passdb/pdb_ldap.c:ldapsam_update_sam_account(1714)
>   ldapsam_update_sam_account: user jason to be modified has dn: 
> uid=jason,ou=People,dc=amiwest,dc=com
> [2006/10/04 13:13:12, 2] passdb/pdb_ldap.c:init_ldap_from_sam(926)
>   init_ldap_from_sam: Setting entry for user: jason
> [2006/10/04 13:13:12, 1] passdb/pdb_ldap.c:ldapsam_modify_entry(1516)
>   ldapsam_modify_entry: Failed to modify user dn= 
> uid=jason,ou=People,dc=amiwest,dc=com with: No such attribute
>         modify/delete: sambaPwdMustChange: no such value
> [2006/10/04 13:13:12, 0] passdb/pdb_ldap.c:ldapsam_update_sam_account(1741)
>   ldapsam_update_sam_account: failed to modify user with uid = jason, 
> error: modify/delete: sambaPwdMustChange: no such value (Success)
> [2006/10/04 13:13:12, 2] passdb/pdb_ldap.c:init_sam_from_ldap(499)
>   init_sam_from_ldap: Entry found for user: jason
> [2006/10/04 13:13:12, 7] passdb/login_cache.c:login_cache_read(83)
>   Looking up login cache for user jason
> [2006/10/04 13:13:12, 7] passdb/login_cache.c:login_cache_read(97)
>   No cache entry found
> [2006/10/04 13:13:12, 0] libsmb/smbencrypt.c:decode_pw_buffer(540)
>   decode_pw_buffer: incorrect password length (190012133).
> [2006/10/04 13:13:12, 0] libsmb/smbencrypt.c:decode_pw_buffer(541)
>   decode_pw_buffer: check that 'encrypt passwords = yes'
> 
> 
> dn: uid=jason,ou=People,dc=amiwest,dc=com
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: shadowAccount
> objectClass: sambaSamAccount
> objectClass: sambaSamAccount
> sambaLogonTime: 0
> sambaLogoffTime: 2147483647
> sambaKickoffTime: 2147483647
> displayName: Jason Shaw
> sambaPasswordHistory: 
> 00000000000000000000000000000000000000000000000000000000
>  00000000
> sambaPwdCanChange: 2
> sambaAcctFlags: [UX]
> sambaPwdLastSet: 1159992792
> sambaPwdMustChange: 1163880792
> modifiersName: cn=Manager,dc=amiwest,dc=com
> modifyTimestamp: 20061004201312Z
> (some stuff cut)
> 
> 
> /etc/openldap/slapd.conf:
> access to 
>
attr=userPassword,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaPwdMustChange
> 
>         by self write
>         by * auth
> 
> 
> /etc/samba/smb.conf:
> [global]
>         enable privileges = Yes
>         username map = /etc/samba/smbusers
>         unix password sync = Yes
>         passwd program = /opt/IDEALX/sbin/smbldap-passwd %u
>         passwd chat = *New*password* %n\n *Retype*new*password* %n\n
>         passwd chat debug = Yes
>         encrypt passwords = Yes
>         log level = 1 passdb:7
>         ldap passwd sync = Yes

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/04/2006 06:12 PM, Jason Shaw escreveu:
> Hello!
Hi Jason!

> SuSE Linux 10.0
> Samba 3.0.20b
> OpenLDAP backend
> IDEALX scripts v0.9.2
> Windows XP SP2 client
> 
> Everything seems to be working except when changing your password from
> the Windows client (CTRL-ALT-DEL and "Change password"). When I
try to
> change the password I get the following error message.
> 
> "The User name or old password is incorrect. Letters in passwords must
> be typed using the correct case."
	I once had this error with Win2K SP4 and Samba 3.0.10, after
upgrading Samba to 3.0.14a the problem was solved (and it was caused
by a Security Fix from Microsoft).

> But the kicker is that the PDC *did* change both Linux and Windows
> passwords; the client machine is saying there's an error when the
> password was changed.
> 
> According to the log file for the machine, it looks like it may have
> failed because it couldn't find the "sambaPwdMustChange"
attribute. But
> using a LDAP browser, I see that the "sambaPwdMustChange" is
there.
> 
> Any suggestions on how to fix this or what the problem may be?
> Thank you!
> 
> Jason
> 
> 
> [2006/10/04 13:13:00, 5]
> passdb/secrets.c:secrets_fetch_trusted_domain_password(325)
>   secrets_fetch failed!
> [2006/10/04 13:13:11, 2] passdb/pdb_ldap.c:init_sam_from_ldap(499)
>   init_sam_from_ldap: Entry found for user: jason
> [2006/10/04 13:13:11, 7] passdb/login_cache.c:login_cache_read(83)
>   Looking up login cache for user jason
> [2006/10/04 13:13:11, 7] passdb/login_cache.c:login_cache_read(97)
>   No cache entry found
> [2006/10/04 13:13:11, 2] passdb/pdb_ldap.c:init_sam_from_ldap(499)
>   init_sam_from_ldap: Entry found for user: jason
> [2006/10/04 13:13:11, 7] passdb/login_cache.c:login_cache_read(83)
>   Looking up login cache for user jason
> [2006/10/04 13:13:11, 7] passdb/login_cache.c:login_cache_read(97)
>   No cache entry found
> [2006/10/04 13:13:12, 4] passdb/pdb_ldap.c:ldapsam_update_sam_account(1714)
>   ldapsam_update_sam_account: user jason to be modified has dn:
> uid=jason,ou=People,dc=amiwest,dc=com
> [2006/10/04 13:13:12, 2] passdb/pdb_ldap.c:init_ldap_from_sam(926)
>   init_ldap_from_sam: Setting entry for user: jason
> [2006/10/04 13:13:12, 1] passdb/pdb_ldap.c:ldapsam_modify_entry(1516)
>   ldapsam_modify_entry: Failed to modify user dn>
uid=jason,ou=People,dc=amiwest,dc=com with: No such attribute
>         modify/delete: sambaPwdMustChange: no such value
> [2006/10/04 13:13:12, 0] passdb/pdb_ldap.c:ldapsam_update_sam_account(1741)
>   ldapsam_update_sam_account: failed to modify user with uid = jason,
> error: modify/delete: sambaPwdMustChange: no such value (Success)
> [2006/10/04 13:13:12, 2] passdb/pdb_ldap.c:init_sam_from_ldap(499)
>   init_sam_from_ldap: Entry found for user: jason
> [2006/10/04 13:13:12, 7] passdb/login_cache.c:login_cache_read(83)
>   Looking up login cache for user jason
> [2006/10/04 13:13:12, 7] passdb/login_cache.c:login_cache_read(97)
>   No cache entry found
> [2006/10/04 13:13:12, 0] libsmb/smbencrypt.c:decode_pw_buffer(540)
>   decode_pw_buffer: incorrect password length (190012133).
> [2006/10/04 13:13:12, 0] libsmb/smbencrypt.c:decode_pw_buffer(541)
>   decode_pw_buffer: check that 'encrypt passwords = yes'
	Are you using customized password restrictions, like
number of characters (min/max)?

> dn: uid=jason,ou=People,dc=amiwest,dc=com
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: shadowAccount
> objectClass: sambaSamAccount
> objectClass: sambaSamAccount
	Why do you have two sambaSamAccounts?

> sambaLogonTime: 0
> sambaLogoffTime: 2147483647
> sambaKickoffTime: 2147483647
> displayName: Jason Shaw
> sambaPasswordHistory:
> 00000000000000000000000000000000000000000000000000000000
>  00000000
> sambaPwdCanChange: 2
	That's strange... sambaPwdCanChange in my LDAP looks
like the sambaPwdLastSet and sambaPwdMustChange fields (it is
not the same values, but the same way).

> sambaAcctFlags: [UX]
	My sambaAcctFlags looks like this: "[U         ]"

	With blank spaces.

> sambaPwdLastSet: 1159992792
> sambaPwdMustChange: 1163880792
> modifiersName: cn=Manager,dc=amiwest,dc=com
> modifyTimestamp: 20061004201312Z
> (some stuff cut)
> 
> 
> /etc/openldap/slapd.conf:
> access to
>
attr=userPassword,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaPwdMustChange
> 
>         by self write
>         by * auth
	There is also sambaPwdCanChange to be considered.

> /etc/samba/smb.conf:
> [global]
>         enable privileges = Yes
>         username map = /etc/samba/smbusers
>         unix password sync = Yes
>         passwd program = /opt/IDEALX/sbin/smbldap-passwd %u
>         passwd chat = *New*password* %n\n *Retype*new*password* %n\n
>         passwd chat debug = Yes
>         encrypt passwords = Yes
>         log level = 1 passdb:7
>         ldap passwd sync = Yes
	'testparm -v' is also ok?


	Kind regards,

- --
Felipe Augusto van de Wiel <felipe@paranacidade.org.br>
Coordenadoria de Tecnologia da Informa??o (CTI) - SEDU/PARANACIDADE
http://www.paranacidade.org.br/           Phone: (+55 41 3350 3300)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org

iD8DBQFFK75FCj65ZxU4gPQRAj7QAJ4rdRqNFP1Qs5LbkUiomNZGRO2rPwCgz8I/
HkbwqeSfXbQM3Xlh1DQgktI=Pkvh
-----END PGP SIGNATURE-----