Hi there, I'm working on a new print server to replace one that's pretty long in the tooth. I'm using standard packages from Ubuntu Hardy Heron which appears to be Samba 3.0.28a. We use LDAP for the authentication backend. I seem to have that configured properly as I get a ldap_connect_system: succesful connection to the LDAP server in the log but every login fails with: FAILED with error NT_STATUS_PASSWORD_MUST_CHANGE I haven't found much searching other than this is something that appeared to happen with 3.0.28a. We have no password policy and have not had this trouble with any previous version of Samba. Is it a bug? It there any fix for this or do I need to go back to dappper or compile a different version? Thank you -- John Baker Network Systems Administrator Marlboro College Phone: 451-7551 off campus; 551 on campus
Jeff LePage
2008-Aug-15 19:31 UTC
[Samba] FAILED with error NT_STATUS_PASSWORD_MUST_CHANGE
I'm having the same problem with Ubuntu Hardy Heron. It seems that there is a bug (fixed in 3.0.31) that causes NT_STATUS_PASSWORD_MUST_CHANGE error on machine account logon. See us1.samba.org/samba/history/samba-3.0.31.html) I also found this:> Beginning with Samba 3.0.2, passwords for > accounts with a last change time (LCT-XXX in smbpasswd,sambaPwdLastSet> attribute in ldapsam, etc...) of zero (0) will be regarded asuninitialized> strings. This will cause authentication to fail for such accounts.If you> have valid passwords that meet this criteria, you must update the lastchange> time to a non-zero value. If you do not, then 'pdbedit--force-initialized-> passwords' will disable these accounts and reset the password hashesto a> string of X's.After joining the domain controller ('join rpc -S sambaserver -U sambadmin') my machine accounts have last-change-time set to zero. I did this to fix it, but I don't know if it's really working; at least one user is still reporting a problem. My method: 1) smbpasswd machinename$ ...this sets the password and also the last-change-time to a non-zero value, but also resets the machine account to a non-machine account. 2) rejoin the domain: join rpc -S sambaserver -U sambadmin After this everything is as before, except that the pwd-last-change-time is set to a non-zero value. Since doing this it was also suggested that I try 'net rpc changetrustpw' Ubuntu hardy heron (running 3.0.28a) seems to suffer from at least 2 bad bugs: 1) the NT_STATUS_PASSWORD_MUST_CHANGE bug mentioned above 2) problems when running winbind on a samba PDC I face a difficult choice now. Do I rebuild my server from source, or do I try a workaround? This new PDC needs to be up and running by Monday, and I have a lot of other chores to perform my Monday. Anyone with suggestions? Workarounds? John Baker: please contact me. Maybe we can help each other. -----Original Message----- From: samba-bounces+jeff.lepage=asg.com@lists.samba.org [mailto:samba-bounces+jeff.lepage=asg.com@lists.samba.org] On Behalf Of John Baker Sent: Friday, August 15, 2008 12:45 PM To: samba@lists.samba.org Subject: [Samba] FAILED with error NT_STATUS_PASSWORD_MUST_CHANGE Hi there, I'm working on a new print server to replace one that's pretty long in the tooth. I'm using standard packages from Ubuntu Hardy Heron which appears to be Samba 3.0.28a. We use LDAP for the authentication backend. I seem to have that configured properly as I get a ldap_connect_system: succesful connection to the LDAP server in the log but every login fails with: FAILED with error NT_STATUS_PASSWORD_MUST_CHANGE I haven't found much searching other than this is something that appeared to happen with 3.0.28a. We have no password policy and have not had this trouble with any previous version of Samba. Is it a bug? It there any fix for this or do I need to go back to dappper or compile a different version? Thank you -- John Baker Network Systems Administrator Marlboro College Phone: 451-7551 off campus; 551 on campus -- To unsubscribe from this list go to the following URL and read the instructions: lists.samba.org/mailman/listinfo/samba