samba - Feb 2007 - samba-3.0.23d, smbpasswd, and "NO PASSWORD" behaviour

We've recently started using samba-3.0.23d on Mandriva 2007.0 linux 
systems and we've noticed a change in behaviour of smbpasswd when a 
non-root user tries to change their password from "NO PASSWORD".

Here's an example smbpasswd entry (all one line):

   testuser:12345:NO PASSWORDXXXXXXXXXXXXXXXXXXXXX:
   NO PASSWORDXXXXXXXXXXXXXXXXXXXXX:[NU         ]:LCT-00000000:


The possibly related settings in our smb.conf are:

   encrypt passwords = yes
   security = user
   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *password:* %n\n *password* %n\n *successfully*
   null passwords = no


Since "null passwords = no" a user with "NO PASSWORD" should
not be able
to login to the samba account.  That's working as expected.

In past versions of samba, testuser could login to the linux account, run 
smbpasswd, enter an empty old password, and set a new password.

Now when we try this we get this failure:

   [testuser@localhost ~]$ smbpasswd
   Old SMB password:
   New SMB password:
   Retype new SMB password:
   Could not connect to machine 127.0.0.1: NT_STATUS_LOGON_FAILURE
   Failed to change password for testuser


Does anyone know why this failure is happening now?

Was the behaviour of smbpasswd changed intentionally?
If so, in what samba version did this change happen?

Is there an alternative way to achieve the smbpasswd
behaviour that we had in the past?


Thanks,
--
Todd Pfaff <pfaff@mcmaster.ca>
Research & High-Performance Computing Support
McMaster University, Hamilton, Ontario, Canada
http://www.rhpcs.mcmaster.ca/~pfaff

I've had no responses to this question yet, and I'm still stuck with
this
problem.  Can anybody help, please?

Is this a capability of samba that not many people take advantage of?

Or am I trying to do something that just isn't possible anymore?

Picking through a the level 10 debug log of smbd, I see this:

   [2007/02/26 11:49:36, 3] auth/auth_sam.c:sam_password_ok(51)
   Account for user 'testuser' has no password and null passwords are
NOT
   allowed.
   [2007/02/26 11:49:36, 9]
   passdb/passdb.c:pdb_update_bad_password_count(1373)
   No bad password attempts.
   [2007/02/26 11:49:36, 5] auth/auth.c:check_ntlm_password(273)
   check_ntlm_password: sam authentication for user [testuser] FAILED with
   error NT_STATUS_LOGON_FAILURE


Is it no longer possible for a user to change their own samba password 
from null "NO PASSWORD" using the smbpasswd command?

--
Todd Pfaff <pfaff@mcmaster.ca>
Research & High-Performance Computing Support
McMaster University, Hamilton, Ontario, Canada
http://www.rhpcs.mcmaster.ca/~pfaff

On Thu, 22 Feb 2007, Todd Pfaff wrote:
> We've recently started using samba-3.0.23d on Mandriva 2007.0 linux
systems
> and we've noticed a change in behaviour of smbpasswd when a non-root
user
> tries to change their password from "NO PASSWORD".
>
> Here's an example smbpasswd entry (all one line):
>
>  testuser:12345:NO PASSWORDXXXXXXXXXXXXXXXXXXXXX:
>  NO PASSWORDXXXXXXXXXXXXXXXXXXXXX:[NU         ]:LCT-00000000:
>
>
> The possibly related settings in our smb.conf are:
>
>  encrypt passwords = yes
>  security = user
>  unix password sync = yes
>  passwd program = /usr/bin/passwd %u
>  passwd chat = *password:* %n\n *password* %n\n *successfully*
>  null passwords = no
>
>
> Since "null passwords = no" a user with "NO PASSWORD"
should not be able to
> login to the samba account.  That's working as expected.
>
> In past versions of samba, testuser could login to the linux account, run 
> smbpasswd, enter an empty old password, and set a new password.
>
> Now when we try this we get this failure:
>
>  [testuser@localhost ~]$ smbpasswd
>  Old SMB password:
>  New SMB password:
>  Retype new SMB password:
>  Could not connect to machine 127.0.0.1: NT_STATUS_LOGON_FAILURE
>  Failed to change password for testuser
>
>
> Does anyone know why this failure is happening now?
>
> Was the behaviour of smbpasswd changed intentionally?
> If so, in what samba version did this change happen?
>
> Is there an alternative way to achieve the smbpasswd
> behaviour that we had in the past?
>
>
> Thanks,
> --
> Todd Pfaff <pfaff@mcmaster.ca>
> Research & High-Performance Computing Support
> McMaster University, Hamilton, Ontario, Canada
> http://www.rhpcs.mcmaster.ca/~pfaff
>