Jason Shaw
2006-Oct-04 21:10 UTC
[Samba] Windows client does not recognize password change...
Hello! SuSE Linux 10.0 Samba 3.0.20b OpenLDAP backend IDEALX scripts v0.9.2 Windows XP SP2 client Everything seems to be working except when changing your password from the Windows client (CTRL-ALT-DEL and "Change password"). When I try to change the password I get the following error message. "The User name or old password is incorrect. Letters in passwords must be typed using the correct case." But the kicker is that the PDC *did* change both Linux and Windows passwords; the client machine is saying there's an error when the password was changed. According to the log file for the machine, it looks like it may have failed because it couldn't find the "sambaPwdMustChange" attribute. But using a LDAP browser, I see that the "sambaPwdMustChange" is there. Any suggestions on how to fix this or what the problem may be? Thank you! Jason [2006/10/04 13:13:00, 5] passdb/secrets.c:secrets_fetch_trusted_domain_password(325) secrets_fetch failed! [2006/10/04 13:13:11, 2] passdb/pdb_ldap.c:init_sam_from_ldap(499) init_sam_from_ldap: Entry found for user: jason [2006/10/04 13:13:11, 7] passdb/login_cache.c:login_cache_read(83) Looking up login cache for user jason [2006/10/04 13:13:11, 7] passdb/login_cache.c:login_cache_read(97) No cache entry found [2006/10/04 13:13:11, 2] passdb/pdb_ldap.c:init_sam_from_ldap(499) init_sam_from_ldap: Entry found for user: jason [2006/10/04 13:13:11, 7] passdb/login_cache.c:login_cache_read(83) Looking up login cache for user jason [2006/10/04 13:13:11, 7] passdb/login_cache.c:login_cache_read(97) No cache entry found [2006/10/04 13:13:12, 4] passdb/pdb_ldap.c:ldapsam_update_sam_account(1714) ldapsam_update_sam_account: user jason to be modified has dn: uid=jason,ou=People,dc=amiwest,dc=com [2006/10/04 13:13:12, 2] passdb/pdb_ldap.c:init_ldap_from_sam(926) init_ldap_from_sam: Setting entry for user: jason [2006/10/04 13:13:12, 1] passdb/pdb_ldap.c:ldapsam_modify_entry(1516) ldapsam_modify_entry: Failed to modify user dn= uid=jason,ou=People,dc=amiwest,dc=com with: No such attribute modify/delete: sambaPwdMustChange: no such value [2006/10/04 13:13:12, 0] passdb/pdb_ldap.c:ldapsam_update_sam_account(1741) ldapsam_update_sam_account: failed to modify user with uid = jason, error: modify/delete: sambaPwdMustChange: no such value (Success) [2006/10/04 13:13:12, 2] passdb/pdb_ldap.c:init_sam_from_ldap(499) init_sam_from_ldap: Entry found for user: jason [2006/10/04 13:13:12, 7] passdb/login_cache.c:login_cache_read(83) Looking up login cache for user jason [2006/10/04 13:13:12, 7] passdb/login_cache.c:login_cache_read(97) No cache entry found [2006/10/04 13:13:12, 0] libsmb/smbencrypt.c:decode_pw_buffer(540) decode_pw_buffer: incorrect password length (190012133). [2006/10/04 13:13:12, 0] libsmb/smbencrypt.c:decode_pw_buffer(541) decode_pw_buffer: check that 'encrypt passwords = yes' dn: uid=jason,ou=People,dc=amiwest,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount objectClass: sambaSamAccount objectClass: sambaSamAccount sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 displayName: Jason Shaw sambaPasswordHistory: 00000000000000000000000000000000000000000000000000000000 00000000 sambaPwdCanChange: 2 sambaAcctFlags: [UX] sambaPwdLastSet: 1159992792 sambaPwdMustChange: 1163880792 modifiersName: cn=Manager,dc=amiwest,dc=com modifyTimestamp: 20061004201312Z (some stuff cut) /etc/openldap/slapd.conf: access to attr=userPassword,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaPwdMustChange by self write by * auth /etc/samba/smb.conf: [global] enable privileges = Yes username map = /etc/samba/smbusers unix password sync = Yes passwd program = /opt/IDEALX/sbin/smbldap-passwd %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n passwd chat debug = Yes encrypt passwords = Yes log level = 1 passdb:7 ldap passwd sync = Yes
Jason Shaw
2006-Oct-06 22:37 UTC
[Samba] Re: Windows client does not recognize password change...
Hello, Does anyone have any suggestions on how I might troubleshoot this issue? I haven't heard any suggestions and I'd really like to solve this. I've googled this and every email that has the same "No such attribute - modify/delete: sambaPwdMustChange" error message has no response to it. So, if anyone has any suggestions, I'm all ears! Thank you, Jason Jason Shaw wrote:> Hello! > > > SuSE Linux 10.0 > Samba 3.0.20b > OpenLDAP backend > IDEALX scripts v0.9.2 > Windows XP SP2 client > > Everything seems to be working except when changing your password from > the Windows client (CTRL-ALT-DEL and "Change password"). When I try to > change the password I get the following error message. > > "The User name or old password is incorrect. Letters in passwords must > be typed using the correct case." > > But the kicker is that the PDC *did* change both Linux and Windows > passwords; the client machine is saying there's an error when the > password was changed. > > According to the log file for the machine, it looks like it may have > failed because it couldn't find the "sambaPwdMustChange" attribute. But > using a LDAP browser, I see that the "sambaPwdMustChange" is there. > > Any suggestions on how to fix this or what the problem may be? > > > Thank you! > > Jason > > > [2006/10/04 13:13:00, 5] > passdb/secrets.c:secrets_fetch_trusted_domain_password(325) > secrets_fetch failed! > [2006/10/04 13:13:11, 2] passdb/pdb_ldap.c:init_sam_from_ldap(499) > init_sam_from_ldap: Entry found for user: jason > [2006/10/04 13:13:11, 7] passdb/login_cache.c:login_cache_read(83) > Looking up login cache for user jason > [2006/10/04 13:13:11, 7] passdb/login_cache.c:login_cache_read(97) > No cache entry found > [2006/10/04 13:13:11, 2] passdb/pdb_ldap.c:init_sam_from_ldap(499) > init_sam_from_ldap: Entry found for user: jason > [2006/10/04 13:13:11, 7] passdb/login_cache.c:login_cache_read(83) > Looking up login cache for user jason > [2006/10/04 13:13:11, 7] passdb/login_cache.c:login_cache_read(97) > No cache entry found > [2006/10/04 13:13:12, 4] passdb/pdb_ldap.c:ldapsam_update_sam_account(1714) > ldapsam_update_sam_account: user jason to be modified has dn: > uid=jason,ou=People,dc=amiwest,dc=com > [2006/10/04 13:13:12, 2] passdb/pdb_ldap.c:init_ldap_from_sam(926) > init_ldap_from_sam: Setting entry for user: jason > [2006/10/04 13:13:12, 1] passdb/pdb_ldap.c:ldapsam_modify_entry(1516) > ldapsam_modify_entry: Failed to modify user dn= > uid=jason,ou=People,dc=amiwest,dc=com with: No such attribute > modify/delete: sambaPwdMustChange: no such value > [2006/10/04 13:13:12, 0] passdb/pdb_ldap.c:ldapsam_update_sam_account(1741) > ldapsam_update_sam_account: failed to modify user with uid = jason, > error: modify/delete: sambaPwdMustChange: no such value (Success) > [2006/10/04 13:13:12, 2] passdb/pdb_ldap.c:init_sam_from_ldap(499) > init_sam_from_ldap: Entry found for user: jason > [2006/10/04 13:13:12, 7] passdb/login_cache.c:login_cache_read(83) > Looking up login cache for user jason > [2006/10/04 13:13:12, 7] passdb/login_cache.c:login_cache_read(97) > No cache entry found > [2006/10/04 13:13:12, 0] libsmb/smbencrypt.c:decode_pw_buffer(540) > decode_pw_buffer: incorrect password length (190012133). > [2006/10/04 13:13:12, 0] libsmb/smbencrypt.c:decode_pw_buffer(541) > decode_pw_buffer: check that 'encrypt passwords = yes' > > > dn: uid=jason,ou=People,dc=amiwest,dc=com > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: inetOrgPerson > objectClass: posixAccount > objectClass: shadowAccount > objectClass: sambaSamAccount > objectClass: sambaSamAccount > sambaLogonTime: 0 > sambaLogoffTime: 2147483647 > sambaKickoffTime: 2147483647 > displayName: Jason Shaw > sambaPasswordHistory: > 00000000000000000000000000000000000000000000000000000000 > 00000000 > sambaPwdCanChange: 2 > sambaAcctFlags: [UX] > sambaPwdLastSet: 1159992792 > sambaPwdMustChange: 1163880792 > modifiersName: cn=Manager,dc=amiwest,dc=com > modifyTimestamp: 20061004201312Z > (some stuff cut) > > > /etc/openldap/slapd.conf: > access to > attr=userPassword,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaPwdMustChange > > by self write > by * auth > > > /etc/samba/smb.conf: > [global] > enable privileges = Yes > username map = /etc/samba/smbusers > unix password sync = Yes > passwd program = /opt/IDEALX/sbin/smbldap-passwd %u > passwd chat = *New*password* %n\n *Retype*new*password* %n\n > passwd chat debug = Yes > encrypt passwords = Yes > log level = 1 passdb:7 > ldap passwd sync = Yes
Felipe Augusto van de Wiel
2006-Oct-10 15:38 UTC
[Samba] Windows client does not recognize password change...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/04/2006 06:12 PM, Jason Shaw escreveu:> Hello!Hi Jason!> SuSE Linux 10.0 > Samba 3.0.20b > OpenLDAP backend > IDEALX scripts v0.9.2 > Windows XP SP2 client > > Everything seems to be working except when changing your password from > the Windows client (CTRL-ALT-DEL and "Change password"). When I try to > change the password I get the following error message. > > "The User name or old password is incorrect. Letters in passwords must > be typed using the correct case."I once had this error with Win2K SP4 and Samba 3.0.10, after upgrading Samba to 3.0.14a the problem was solved (and it was caused by a Security Fix from Microsoft).> But the kicker is that the PDC *did* change both Linux and Windows > passwords; the client machine is saying there's an error when the > password was changed. > > According to the log file for the machine, it looks like it may have > failed because it couldn't find the "sambaPwdMustChange" attribute. But > using a LDAP browser, I see that the "sambaPwdMustChange" is there. > > Any suggestions on how to fix this or what the problem may be?> Thank you! > > Jason > > > [2006/10/04 13:13:00, 5] > passdb/secrets.c:secrets_fetch_trusted_domain_password(325) > secrets_fetch failed! > [2006/10/04 13:13:11, 2] passdb/pdb_ldap.c:init_sam_from_ldap(499) > init_sam_from_ldap: Entry found for user: jason > [2006/10/04 13:13:11, 7] passdb/login_cache.c:login_cache_read(83) > Looking up login cache for user jason > [2006/10/04 13:13:11, 7] passdb/login_cache.c:login_cache_read(97) > No cache entry found > [2006/10/04 13:13:11, 2] passdb/pdb_ldap.c:init_sam_from_ldap(499) > init_sam_from_ldap: Entry found for user: jason > [2006/10/04 13:13:11, 7] passdb/login_cache.c:login_cache_read(83) > Looking up login cache for user jason > [2006/10/04 13:13:11, 7] passdb/login_cache.c:login_cache_read(97) > No cache entry found > [2006/10/04 13:13:12, 4] passdb/pdb_ldap.c:ldapsam_update_sam_account(1714) > ldapsam_update_sam_account: user jason to be modified has dn: > uid=jason,ou=People,dc=amiwest,dc=com > [2006/10/04 13:13:12, 2] passdb/pdb_ldap.c:init_ldap_from_sam(926) > init_ldap_from_sam: Setting entry for user: jason > [2006/10/04 13:13:12, 1] passdb/pdb_ldap.c:ldapsam_modify_entry(1516) > ldapsam_modify_entry: Failed to modify user dn> uid=jason,ou=People,dc=amiwest,dc=com with: No such attribute > modify/delete: sambaPwdMustChange: no such value > [2006/10/04 13:13:12, 0] passdb/pdb_ldap.c:ldapsam_update_sam_account(1741) > ldapsam_update_sam_account: failed to modify user with uid = jason, > error: modify/delete: sambaPwdMustChange: no such value (Success) > [2006/10/04 13:13:12, 2] passdb/pdb_ldap.c:init_sam_from_ldap(499) > init_sam_from_ldap: Entry found for user: jason > [2006/10/04 13:13:12, 7] passdb/login_cache.c:login_cache_read(83) > Looking up login cache for user jason > [2006/10/04 13:13:12, 7] passdb/login_cache.c:login_cache_read(97) > No cache entry found > [2006/10/04 13:13:12, 0] libsmb/smbencrypt.c:decode_pw_buffer(540) > decode_pw_buffer: incorrect password length (190012133). > [2006/10/04 13:13:12, 0] libsmb/smbencrypt.c:decode_pw_buffer(541) > decode_pw_buffer: check that 'encrypt passwords = yes'Are you using customized password restrictions, like number of characters (min/max)?> dn: uid=jason,ou=People,dc=amiwest,dc=com > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: inetOrgPerson > objectClass: posixAccount > objectClass: shadowAccount > objectClass: sambaSamAccount > objectClass: sambaSamAccountWhy do you have two sambaSamAccounts?> sambaLogonTime: 0 > sambaLogoffTime: 2147483647 > sambaKickoffTime: 2147483647 > displayName: Jason Shaw > sambaPasswordHistory: > 00000000000000000000000000000000000000000000000000000000 > 00000000 > sambaPwdCanChange: 2That's strange... sambaPwdCanChange in my LDAP looks like the sambaPwdLastSet and sambaPwdMustChange fields (it is not the same values, but the same way).> sambaAcctFlags: [UX]My sambaAcctFlags looks like this: "[U ]" With blank spaces.> sambaPwdLastSet: 1159992792 > sambaPwdMustChange: 1163880792 > modifiersName: cn=Manager,dc=amiwest,dc=com > modifyTimestamp: 20061004201312Z > (some stuff cut) > > > /etc/openldap/slapd.conf: > access to > attr=userPassword,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaPwdMustChange > > by self write > by * authThere is also sambaPwdCanChange to be considered.> /etc/samba/smb.conf: > [global] > enable privileges = Yes > username map = /etc/samba/smbusers > unix password sync = Yes > passwd program = /opt/IDEALX/sbin/smbldap-passwd %u > passwd chat = *New*password* %n\n *Retype*new*password* %n\n > passwd chat debug = Yes > encrypt passwords = Yes > log level = 1 passdb:7 > ldap passwd sync = Yes'testparm -v' is also ok? Kind regards, - -- Felipe Augusto van de Wiel <felipe@paranacidade.org.br> Coordenadoria de Tecnologia da Informa??o (CTI) - SEDU/PARANACIDADE http://www.paranacidade.org.br/ Phone: (+55 41 3350 3300) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Debian - http://enigmail.mozdev.org iD8DBQFFK75FCj65ZxU4gPQRAj7QAJ4rdRqNFP1Qs5LbkUiomNZGRO2rPwCgz8I/ HkbwqeSfXbQM3Xlh1DQgktI=Pkvh -----END PGP SIGNATURE-----
Possibly Parallel Threads
- Problems with userPassword when it's base64 encoded
- samba bad password count reset between logins (not loaded from login_cache.tdb)
- Machines randomly kicks out of the domain
- samba bad password count reset between logins (not loaded from login_cache.tdb)
- incorrect password length when joining domain, need help