samba - Oct 2019 - Old samba password is valid after setting the new one.

Hi,

I've detected a very strange behavior on samba 4.8.9 and 4.10.6.
After setting a new password for a user with samba-tool the old
password remains valid. The user can use both passwords.
After setting the third password become the first password invalid:

:~ # samba-tool user setpassword extisadm --newpassword=12AbCdEf
Changed password OK
:~ # samba-tool user setpassword extisadm --newpassword=12AbCdEG
Changed password OK
:~ # smbclient -L admin -U extisadm%12AbCdEf

        Sharename       Type      Comment
        ---------       ----      -------
        sysvol          Disk      
        groups          Disk      Shared directories of groups .....
        users           Disk      All users
        all             Disk      Folder for all
        alladmins       Disk      Folder for administration personal
        software        Disk      Folder for software
:~ # samba-tool user setpassword extisadm --newpassword=12AbCdEC
:~ # smbclient -L admin -U extisadm%12AbCdEf
session setup failed: NT_STATUS_LOGON_FAILURE

Is it a bug or a feature?

-- 
Dipl.-Ing. P?ter Varkoly
Greuleinweg 37.
D-90411 N?rnberg

On Fri, 2019-10-25 at 22:39 +0200, Dipl.-Ing. P?ter Varkoly via samba
wrote:
> Hi,
> 
> I've detected a very strange behavior on samba 4.8.9 and 4.10.6.
> After setting a new password for a user with samba-tool the old
> password remains valid. The user can use both passwords.
> Is it a bug or a feature?
Feature.  Designed to allow logins to still work that have the old
password cached, otherwise network shares can't reconnect. 

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

On 25/10/2019 21:39, Dipl.-Ing. P?ter Varkoly via samba
wrote:
> Hi,
>
> I've detected a very strange behavior on samba 4.8.9 and 4.10.6.
> After setting a new password for a user with samba-tool the old
> password remains valid. The user can use both passwords.
> After setting the third password become the first password invalid:
>
> :~ # samba-tool user setpassword extisadm --newpassword=12AbCdEf
> Changed password OK
> :~ # samba-tool user setpassword extisadm --newpassword=12AbCdEG
> Changed password OK
> :~ # smbclient -L admin -U extisadm%12AbCdEf
>
>          Sharename       Type      Comment
>          ---------       ----      -------
>          sysvol          Disk
>          groups          Disk      Shared directories of groups .....
>          users           Disk      All users
>          all             Disk      Folder for all
>          alladmins       Disk      Folder for administration personal
>          software        Disk      Folder for software
> :~ # samba-tool user setpassword extisadm --newpassword=12AbCdEC
> :~ # smbclient -L admin -U extisadm%12AbCdEf
> session setup failed: NT_STATUS_LOGON_FAILURE
>
> Is it a bug or a feature?
>
I think this a feature, a Windows feature ;-)

Try changing the password and then wait an hour or so and then try the 
old password, it shouldn't work.

Rowland

Thanks for rapid answer!
Am Samstag, den 26.10.2019, 09:53 +1300 schrieb Andrew
Bartlett:
> On Fri, 2019-10-25 at 22:39 +0200, Dipl.-Ing. P?ter Varkoly via samba
> wrote:
> > Hi,
> > 
> > I've detected a very strange behavior on samba 4.8.9 and 4.10.6.
> > After setting a new password for a user with samba-tool the old
> > password remains valid. The user can use both passwords.
> > Is it a bug or a feature?
> 
> Feature.  Designed to allow logins to still work that have the old
> password cached, otherwise network shares can't reconnect. 
> 
> Andrew Bartlett
> 
-- 
Dipl.-Ing. P?ter Varkoly
Greuleinweg 37.
D-90411 N?rnberg