Duncan Brannen
2007-Nov-15 16:46 UTC
[Samba] Strange NT_STATUS_PASSWORD errors after upgrade to 3.0.26a
Hi, I just upgraded one of our samba BDC's (with LDAP back end on solaris 10) from 3.0.23c to 3.0.26a and can no longer mount shares. The error message I'm seeing in the samba logs is [2007/11/15 14:15:26, 1] auth/auth_sam.c:sam_account_ok(172) sam_account_ok: Account for user 'dbb' password must change!. [2007/11/15 14:15:26, 3] auth/auth_winbind.c:check_winbind_security(80) check_winbind_security: Not using winbind, requested domain [CLASSROOM] was for this SAM. [2007/11/15 14:15:26, 2] auth/auth.c:check_ntlm_password(319) check_ntlm_password: Authentication for user [dbb] -> [dbb] FAILED with error NT_STATUS_PASSWORD_MUST_CHANGE [2007/11/15 14:15:26, 3] smbd/error.c:error_packet_set(106) error packet at smbd/sesssetup.c(1489) cmd=115 (SMBsesssetupX) NT_STATUS_PASSWORD_MUST_CHANGE I tried reinstalling 3.0.23c and now get init_sam_from_ldap: Entry found for user: dbb [2007/11/15 16:28:13, 1] auth/auth_sam.c:sam_account_ok(178) sam_account_ok: Account for user 'dbb' password expired!. [2007/11/15 16:28:13, 1] auth/auth_sam.c:sam_account_ok(179) sam_account_ok: Password expired at 'Mon, 16 Feb 1970 08:06:40 BST' (4000000) unix time. [2007/11/15 16:28:13, 3] auth/auth_winbind.c:check_winbind_security(80) check_winbind_security: Not using winbind, requested domain [CLASSROOM] was for this SAM. [2007/11/15 16:28:13, 2] auth/auth.c:check_ntlm_password(319) check_ntlm_password: Authentication for user [dbb] -> [dbb] FAILED with error NT_STATUS_PASSWORD_EXPIRED Any thoughts? It worked fine earlier. I've tried deleting all the var/locks tdb files and the private/*.tdb files, resetting the SID and smbpassword but it doesn't seem to help. Reasoning for this is there seemed to be a new Account Policy entry appear in the gencache.tdb file to do with password age after the upgrade. There isn't anything set in the samba attributes of the ldap accounts to do with password expiry so it's all default. Cheers, Duncan
Duncan Brannen
2007-Nov-15 17:10 UTC
[Samba] Strange NT_STATUS_PASSWORD errors after upgrade to 3.0.26a
It does look like samba > 3.0.23c now writes extra info into the sambaDomain object in ldap (?) sambaPwdHistoryLength: 0 sambaMaxPwdAge: -1 sambaMinPwdAge: 0 sambaLockoutThreshold: 0 sambaMinPwdLength: 5 but that looks like it shouldn't be expiring passwords ( -1 ) Should it? Cheers, Duncan Duncan Brannen wrote:> > > Hi, > I just upgraded one of our samba BDC's (with LDAP back end on > solaris 10) from 3.0.23c to > 3.0.26a and can no longer mount shares. > > The error message I'm seeing in the samba logs is > [2007/11/15 14:15:26, 1] auth/auth_sam.c:sam_account_ok(172) > sam_account_ok: Account for user 'dbb' password must change!. > [2007/11/15 14:15:26, 3] auth/auth_winbind.c:check_winbind_security(80) > check_winbind_security: Not using winbind, requested domain > [CLASSROOM] was for this SAM. > [2007/11/15 14:15:26, 2] auth/auth.c:check_ntlm_password(319) > check_ntlm_password: Authentication for user [dbb] -> [dbb] FAILED > with error NT_STATUS_PASSWORD_MUST_CHANGE > [2007/11/15 14:15:26, 3] smbd/error.c:error_packet_set(106) > error packet at smbd/sesssetup.c(1489) cmd=115 (SMBsesssetupX) > NT_STATUS_PASSWORD_MUST_CHANGE > > > I tried reinstalling 3.0.23c and now get > > > init_sam_from_ldap: Entry found for user: dbb > [2007/11/15 16:28:13, 1] auth/auth_sam.c:sam_account_ok(178) > sam_account_ok: Account for user 'dbb' password expired!. > [2007/11/15 16:28:13, 1] auth/auth_sam.c:sam_account_ok(179) > sam_account_ok: Password expired at 'Mon, 16 Feb 1970 08:06:40 BST' > (4000000) unix time. > [2007/11/15 16:28:13, 3] auth/auth_winbind.c:check_winbind_security(80) > check_winbind_security: Not using winbind, requested domain > [CLASSROOM] was for this SAM. > [2007/11/15 16:28:13, 2] auth/auth.c:check_ntlm_password(319) > check_ntlm_password: Authentication for user [dbb] -> [dbb] FAILED > with error NT_STATUS_PASSWORD_EXPIRED > > > Any thoughts? It worked fine earlier. I've tried deleting all the > var/locks tdb files and the private/*.tdb files, resetting the SID and > smbpassword > but it doesn't seem to help. Reasoning for this is there seemed to be > a new Account Policy entry appear in the gencache.tdb file to do with > password age after the upgrade. > > There isn't anything set in the samba attributes of the ldap accounts > to do with password expiry so it's all default. > > Cheers, > Duncan >
Duncan Brannen
2007-Nov-15 17:21 UTC
[Samba] Strange NT_STATUS_PASSWORD errors after upgrade to 3.0.26a
Rolling back to 3.0.23c has worked. the error with 3.0.23c was a change made to my account when looking at the 3.0.26a problem as blatantly obvious from the log below. Any ideas as to why 3.0.26a shouldn't be working? I'm guessing it's something ldap related? Thanks Duncan Duncan Brannen wrote:> > I tried reinstalling 3.0.23c and now get > > > init_sam_from_ldap: Entry found for user: dbb > [2007/11/15 16:28:13, 1] auth/auth_sam.c:sam_account_ok(178) > sam_account_ok: Account for user 'dbb' password expired!. > [2007/11/15 16:28:13, 1] auth/auth_sam.c:sam_account_ok(179) > sam_account_ok: Password expired at 'Mon, 16 Feb 1970 08:06:40 BST' > (4000000) unix time. > [2007/11/15 16:28:13, 3] auth/auth_winbind.c:check_winbind_security(80) > check_winbind_security: Not using winbind, requested domain > [CLASSROOM] was for this SAM. > [2007/11/15 16:28:13, 2] auth/auth.c:check_ntlm_password(319) > check_ntlm_password: Authentication for user [dbb] -> [dbb] FAILED > with error NT_STATUS_PASSWORD_EXPIRED > > > Cheers, > Duncan >