Duncan Brannen
2007-Nov-15 16:46 UTC
[Samba] Strange NT_STATUS_PASSWORD errors after upgrade to 3.0.26a
Hi,
I just upgraded one of our samba BDC's (with LDAP back end on
solaris 10) from 3.0.23c to
3.0.26a and can no longer mount shares.
The error message I'm seeing in the samba logs is
[2007/11/15 14:15:26, 1] auth/auth_sam.c:sam_account_ok(172)
sam_account_ok: Account for user 'dbb' password must change!.
[2007/11/15 14:15:26, 3] auth/auth_winbind.c:check_winbind_security(80)
check_winbind_security: Not using winbind, requested domain
[CLASSROOM] was for this SAM.
[2007/11/15 14:15:26, 2] auth/auth.c:check_ntlm_password(319)
check_ntlm_password: Authentication for user [dbb] -> [dbb] FAILED
with error NT_STATUS_PASSWORD_MUST_CHANGE
[2007/11/15 14:15:26, 3] smbd/error.c:error_packet_set(106)
error packet at smbd/sesssetup.c(1489) cmd=115 (SMBsesssetupX)
NT_STATUS_PASSWORD_MUST_CHANGE
I tried reinstalling 3.0.23c and now get
init_sam_from_ldap: Entry found for user: dbb
[2007/11/15 16:28:13, 1] auth/auth_sam.c:sam_account_ok(178)
sam_account_ok: Account for user 'dbb' password expired!.
[2007/11/15 16:28:13, 1] auth/auth_sam.c:sam_account_ok(179)
sam_account_ok: Password expired at 'Mon, 16 Feb 1970 08:06:40 BST'
(4000000) unix time.
[2007/11/15 16:28:13, 3] auth/auth_winbind.c:check_winbind_security(80)
check_winbind_security: Not using winbind, requested domain
[CLASSROOM] was for this SAM.
[2007/11/15 16:28:13, 2] auth/auth.c:check_ntlm_password(319)
check_ntlm_password: Authentication for user [dbb] -> [dbb] FAILED
with error NT_STATUS_PASSWORD_EXPIRED
Any thoughts? It worked fine earlier. I've tried deleting all the
var/locks tdb files and the private/*.tdb files, resetting the SID and
smbpassword
but it doesn't seem to help. Reasoning for this is there seemed to be a
new Account Policy entry appear in the gencache.tdb file to do with
password age after the upgrade.
There isn't anything set in the samba attributes of the ldap accounts to
do with password expiry so it's all default.
Cheers,
Duncan
Duncan Brannen
2007-Nov-15 17:10 UTC
[Samba] Strange NT_STATUS_PASSWORD errors after upgrade to 3.0.26a
It does look like samba > 3.0.23c now writes extra info into the
sambaDomain object in ldap (?)
sambaPwdHistoryLength: 0
sambaMaxPwdAge: -1
sambaMinPwdAge: 0
sambaLockoutThreshold: 0
sambaMinPwdLength: 5
but that looks like it shouldn't be expiring passwords ( -1 )
Should it?
Cheers,
Duncan
Duncan Brannen wrote:>
>
> Hi,
> I just upgraded one of our samba BDC's (with LDAP back end on
> solaris 10) from 3.0.23c to
> 3.0.26a and can no longer mount shares.
>
> The error message I'm seeing in the samba logs is
> [2007/11/15 14:15:26, 1] auth/auth_sam.c:sam_account_ok(172)
> sam_account_ok: Account for user 'dbb' password must change!.
> [2007/11/15 14:15:26, 3] auth/auth_winbind.c:check_winbind_security(80)
> check_winbind_security: Not using winbind, requested domain
> [CLASSROOM] was for this SAM.
> [2007/11/15 14:15:26, 2] auth/auth.c:check_ntlm_password(319)
> check_ntlm_password: Authentication for user [dbb] -> [dbb] FAILED
> with error NT_STATUS_PASSWORD_MUST_CHANGE
> [2007/11/15 14:15:26, 3] smbd/error.c:error_packet_set(106)
> error packet at smbd/sesssetup.c(1489) cmd=115 (SMBsesssetupX)
> NT_STATUS_PASSWORD_MUST_CHANGE
>
>
> I tried reinstalling 3.0.23c and now get
>
>
> init_sam_from_ldap: Entry found for user: dbb
> [2007/11/15 16:28:13, 1] auth/auth_sam.c:sam_account_ok(178)
> sam_account_ok: Account for user 'dbb' password expired!.
> [2007/11/15 16:28:13, 1] auth/auth_sam.c:sam_account_ok(179)
> sam_account_ok: Password expired at 'Mon, 16 Feb 1970 08:06:40
BST'
> (4000000) unix time.
> [2007/11/15 16:28:13, 3] auth/auth_winbind.c:check_winbind_security(80)
> check_winbind_security: Not using winbind, requested domain
> [CLASSROOM] was for this SAM.
> [2007/11/15 16:28:13, 2] auth/auth.c:check_ntlm_password(319)
> check_ntlm_password: Authentication for user [dbb] -> [dbb] FAILED
> with error NT_STATUS_PASSWORD_EXPIRED
>
>
> Any thoughts? It worked fine earlier. I've tried deleting all the
> var/locks tdb files and the private/*.tdb files, resetting the SID and
> smbpassword
> but it doesn't seem to help. Reasoning for this is there seemed to be
> a new Account Policy entry appear in the gencache.tdb file to do with
> password age after the upgrade.
>
> There isn't anything set in the samba attributes of the ldap accounts
> to do with password expiry so it's all default.
>
> Cheers,
> Duncan
>
Duncan Brannen
2007-Nov-15 17:21 UTC
[Samba] Strange NT_STATUS_PASSWORD errors after upgrade to 3.0.26a
Rolling back to 3.0.23c has worked. the error with 3.0.23c was a change
made to
my account when looking at the 3.0.26a problem as blatantly obvious from
the log below.
Any ideas as to why 3.0.26a shouldn't be working? I'm guessing it's
something ldap related?
Thanks
Duncan
Duncan Brannen wrote:>
> I tried reinstalling 3.0.23c and now get
>
>
> init_sam_from_ldap: Entry found for user: dbb
> [2007/11/15 16:28:13, 1] auth/auth_sam.c:sam_account_ok(178)
> sam_account_ok: Account for user 'dbb' password expired!.
> [2007/11/15 16:28:13, 1] auth/auth_sam.c:sam_account_ok(179)
> sam_account_ok: Password expired at 'Mon, 16 Feb 1970 08:06:40
BST'
> (4000000) unix time.
> [2007/11/15 16:28:13, 3] auth/auth_winbind.c:check_winbind_security(80)
> check_winbind_security: Not using winbind, requested domain
> [CLASSROOM] was for this SAM.
> [2007/11/15 16:28:13, 2] auth/auth.c:check_ntlm_password(319)
> check_ntlm_password: Authentication for user [dbb] -> [dbb] FAILED
> with error NT_STATUS_PASSWORD_EXPIRED
>
>
> Cheers,
> Duncan
>