On Thu, 5 Apr 2018 16:59:15 +0100 Rowland Penny <rpenny at samba.org> wrote:> > On Thu, 05 Apr 2018 11:31:18 -0400 > Mark Foley via samba <samba at lists.samba.org> wrote: > > > OK, I'm having issues with the problem. To summarize, I'm trying to > > have a normal user change his password from a domain member. I've > > tried: passwd, kpasswd and 'samba-tool user password -U $USER > > --ipaddress=<IPofAD/DC>'. All mechanisms do change the domain > > password and I can log into Windows and Linux domain members, and > > website requiring domain authentication. > > > > HOWEVER, after 1 to 3 days the account become locked out. About 2 > > days ago I did the samba-tool method and reported in this thread that > > it worked. Today I tried to log into my Windows workstation and was > > locked out. The Samba log message was: > > > > [2018/04/05 05:11:38.549997, 2] authentication for user [HPRS/myuser] > > FAILED with error NT_STATUS_ACCOUNT_LOCKED_OUT > > > > ntlm_auth gives: > > > > Unable to Authenticate: NT_STATUS_ACCOUNT_LOCKED_OUT: Account locked > > out (0xc0000234) > > > > This all despite the rcpclient saying the expiration is in July. > > > > The problem here is that you are mixing up an expired password and an > account that is locked out. > An account can get logged out for various reasons, but the main one is > something trying to auth with an old or wrong password. Do you have > anything that tries to authenticate to AD with the username and > password, if so, check it is using the right password, mobile phones > are a favourite place to start. > > RowlandI think there might be a bug. A week ago I used 'samba-tool user setpassword me' as the domain administrator from the AD server to reset my normal user domain password. That worked for the past week with no lockout issues. So, yesterday I decided to again try samba-tool user password -U $USER --ipaddress=mail from the domain member workstation as the normal user, $USER. Again, that worked. However, once again today (the next day) I am locked out. Furthermore, if I try to use samba-tool as the Domain Admin to set the password to the same value as the locked out one, I still could not get in. I had to change the password to something different. This behavior is consistent. If, as the normal user, I change the domain password using samba-tool from the domain member computer, I get locked out within about a day. If I do the same as the domain admin, no lockout happens. I know with certainty this is NOT related to cell phones or other programs trying to repeatedly authenticate. For one thing, I have no cell phone or remote mail client accessing this domain. Also, I send an email notice for EVERY failed domain login attempt. There are no such failures in the samba log. I think there is a bug afoot. I would be happy to try any tests anyone might suggest. --Mark Samba 4.4.16
>From samba-bounces at lists.samba.org Fri Apr 13 09:46:32 2018X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.99.2 at mail X-Virus-Status: Clean Date: Fri, 13 Apr 2018 09:45:14 -0400 Organization: Ohio Highway Patrol Retirement System To: samba at lists.samba.org User-Agent: Heirloom mailx 12.5 7/5/10 Subject: Re: [Samba] How to change Domain password as normal user? X-BeenThere: samba at lists.samba.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: General questions regarding Samba <samba.lists.samba.org> List-Unsubscribe: <https://lists.samba.org/mailman/options/samba>, <mailto:samba-request at lists.samba.org?subject=unsubscribe> List-Archive: <http://lists.samba.org/pipermail/samba/> List-Post: <mailto:samba at lists.samba.org> List-Help: <mailto:samba-request at lists.samba.org?subject=help> List-Subscribe: <https://lists.samba.org/mailman/listinfo/samba>, <mailto:samba-request at lists.samba.org?subject=subscribe> From: Mark Foley via samba <samba at lists.samba.org> Reply-To: Mark Foley <mfoley at ohprs.org> Content-Type: text/plain; charset="utf-8" Errors-To: samba-bounces at lists.samba.org Sender: "samba" <samba-bounces at lists.samba.org> X-Spam-Status: No, score=-106.1 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,T_RP_MATCHES_RCVD,USER_IN_WHITELIST,USER_IN_WHITELIST_TO autolearn=unavailable autolearn_force=no version=3.4.1-_revision__1.25__ X-Spam-Report: * -100 USER_IN_WHITELIST From: address is in the user's white-list * -0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay * domain * -6.0 USER_IN_WHITELIST_TO User is listed in 'whitelist_to' * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature * 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily * valid * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's * domain X-Spam-Checker-Version: SpamAssassin 3.4.1-_revision__1.25__ (2015-04-28) on mail.hprs.local On Thu, 5 Apr 2018 16:59:15 +0100 Rowland Penny <rpenny at samba.org> wrote:> > On Thu, 05 Apr 2018 11:31:18 -0400 > Mark Foley via samba <samba at lists.samba.org> wrote: > > > OK, I'm having issues with the problem. To summarize, I'm trying to > > have a normal user change his password from a domain member. I've > > tried: passwd, kpasswd and 'samba-tool user password -U $USER > > --ipaddress=<IPofAD/DC>'. All mechanisms do change the domain > > password and I can log into Windows and Linux domain members, and > > website requiring domain authentication. > > > > HOWEVER, after 1 to 3 days the account become locked out. About 2 > > days ago I did the samba-tool method and reported in this thread that > > it worked. Today I tried to log into my Windows workstation and was > > locked out. The Samba log message was: > > > > [2018/04/05 05:11:38.549997, 2] authentication for user [HPRS/myuser] > > FAILED with error NT_STATUS_ACCOUNT_LOCKED_OUT > > > > ntlm_auth gives: > > > > Unable to Authenticate: NT_STATUS_ACCOUNT_LOCKED_OUT: Account locked > > out (0xc0000234) > > > > This all despite the rcpclient saying the expiration is in July. > > > > The problem here is that you are mixing up an expired password and an > account that is locked out. > An account can get logged out for various reasons, but the main one is > something trying to auth with an old or wrong password. Do you have > anything that tries to authenticate to AD with the username and > password, if so, check it is using the right password, mobile phones > are a favourite place to start. > > RowlandI think there might be a bug. A week ago I used 'samba-tool user setpassword me' as the domain administrator from the AD server to reset my normal user domain password. That worked for the past week with no lockout issues. So, yesterday I decided to again try samba-tool user password -U $USER --ipaddress=mail from the domain member workstation as the normal user, $USER. Again, that worked. However, once again today (the next day) I am locked out. Furthermore, if I try to use samba-tool as the Domain Admin to set the password to the same value as the locked out one, I still could not get in. I had to change the password to something different. This behavior is consistent. If, as the normal user, I change the domain password using samba-tool from the domain member computer, I get locked out within about a day. If I do the same as the domain admin, no lockout happens. I know with certainty this is NOT related to cell phones or other programs trying to repeatedly authenticate. For one thing, I have no cell phone or remote mail client accessing this domain. Also, I send an email notice for EVERY failed domain login attempt. There are no such failures in the samba log. I think there is a bug afoot. I would be happy to try any tests anyone might suggest. --Mark Samba 4.4.16 6 hours Later ... After resetting to a different password using samba-tool as domain administrator from the AD server 6 hours ago, and being able to successfully log in, I find myself locked out AGAIN! I need a way to reset the lockout indicator. This is a big problem. --Mark
Need help on this. My account is locked out. Need way to reset. --Mark -----Original Message----- Date: Fri, 13 Apr 2018 14:49:44 -0400 Organization: Ohio Highway Patrol Retirement System To: samba at lists.samba.org Subject: Re: [Samba] How to change Domain password as normal user? On Thu, 5 Apr 2018 16:59:15 +0100 Rowland Penny <rpenny at samba.org> wrote:> > On Thu, 05 Apr 2018 11:31:18 -0400 > Mark Foley via samba <samba at lists.samba.org> wrote: > > > OK, I'm having issues with the problem. To summarize, I'm trying to > > have a normal user change his password from a domain member. I've > > tried: passwd, kpasswd and 'samba-tool user password -U $USER > > --ipaddress=<IPofAD/DC>'. All mechanisms do change the domain > > password and I can log into Windows and Linux domain members, and > > website requiring domain authentication. > > > > HOWEVER, after 1 to 3 days the account become locked out. About 2 > > days ago I did the samba-tool method and reported in this thread that > > it worked. Today I tried to log into my Windows workstation and was > > locked out. The Samba log message was: > > > > [2018/04/05 05:11:38.549997, 2] authentication for user [HPRS/myuser] > > FAILED with error NT_STATUS_ACCOUNT_LOCKED_OUT > > > > ntlm_auth gives: > > > > Unable to Authenticate: NT_STATUS_ACCOUNT_LOCKED_OUT: Account locked > > out (0xc0000234) > > > > This all despite the rcpclient saying the expiration is in July. > > > > The problem here is that you are mixing up an expired password and an > account that is locked out. > An account can get logged out for various reasons, but the main one is > something trying to auth with an old or wrong password. Do you have > anything that tries to authenticate to AD with the username and > password, if so, check it is using the right password, mobile phones > are a favourite place to start. > > RowlandI think there might be a bug. A week ago I used 'samba-tool user setpassword me' as the domain administrator from the AD server to reset my normal user domain password. That worked for the past week with no lockout issues. So, yesterday I decided to again try samba-tool user password -U $USER --ipaddress=mail from the domain member workstation as the normal user, $USER. Again, that worked. However, once again today (the next day) I am locked out. Furthermore, if I try to use samba-tool as the Domain Admin to set the password to the same value as the locked out one, I still could not get in. I had to change the password to something different. This behavior is consistent. If, as the normal user, I change the domain password using samba-tool from the domain member computer, I get locked out within about a day. If I do the same as the domain admin, no lockout happens. I know with certainty this is NOT related to cell phones or other programs trying to repeatedly authenticate. For one thing, I have no cell phone or remote mail client accessing this domain. Also, I send an email notice for EVERY failed domain login attempt. There are no such failures in the samba log. I think there is a bug afoot. I would be happy to try any tests anyone might suggest. --Mark Samba 4.4.16 6 hours Later ... After resetting to a different password using samba-tool as domain administrator from the AD server 6 hours ago, and being able to successfully log in, I find myself locked out AGAIN! I need a way to reset the lockout indicator. This is a big problem. --Mark -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba