I have samba 3.6.x domain controller (not patched for BADLOCK
yet.) From a linux machine (Fedora Core 23) , smbpasswd fails to
change a password.
[someuser at linux1 /]$ smbpasswd -r pdc
Old SMB password:
New SMB password:
Retype new SMB password:
smb_signing_good: BAD SIG: seq 1
Could not connect to machine pdc: NT_STATUS_ACCESS_DENIED
[someuser at linux1 /]$
FC23 machines have samba 4.3.11 client components installed.
If I ssh to the domain controller, I can change my password
[someuser at pdc]$ smbpasswd
Old SMB password:
New SMB password:
Retype new SMB password:
Connecting to 127.0.0.1 at port 445
Doing spnego session setup (blob length=58)
got OID=1.3.6.1.4.1.311.2.2.10
got principal=NONE
Got challenge flags:
Got NTLMSSP neg_flags=0x60898215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
Got challenge flags:
Got NTLMSSP neg_flags=0x60898235
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088235
Password changed for user someuser
[someuser at pdc]
I am assuming this is because the client side has the lastest BADLOCK
patches. However I only noticed this when users started
complaining that they could no longer changes passwords from windows
PC's (due to a recent MS patch.) smbpasswd from a linux or solaris
machine was the alternative.
I have not yet tried tweaking the client smb.conf or downgrading to a
pre-patched version. Linux-based samba 4 member servers that have
been upgraded would fail to allow domain users, so those did require a
roll back to a pre-badlock version. Samba 3.x server with badlock patch
still seem compatible with pre-patched DC's.
Thanks
