Yudai Yamagishi
2014-Oct-24 05:42 UTC
[Samba] Changing user account passwords using smbpasswd after password expiration
Hello, I?m currently having a problem where a non-root user can?t change his/her own password using smbpasswd command after the password expiration and would like to know how I could solve this problem. Currently, I have a samba server running on CentOS 6.5 with its passdb backend configured to another LDAP server. The samba version I?m currently using is samba-3.6.9-169 which should be the latest version provided by yum on CentOS 6. The setup is working perfectly as it should except for the one issue I mentioned above, which is, an user with expired password cannot change its own password using smbpasswd command. I currently have the following samba-related entries in each user in my LDAP database: sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaPwdMustChange: 2147483647 sambaPwdLastSet: 1406347540 Also, I have sambaDomainName=WORKGROUP with entries like the following: sambaMinPwdAge: 0 sambaPwdHistoryLength: 0 sambaMinPwdLength: 6 sambaLogonToChgPwd: 2 sambaLockoutDuration: 1 sambaMaxPwdAge: 7776000 sambaLockoutObservationWindow: 1 sambaLockoutThreshold: 5 With these settings pdbedit shows the following output: # pdbedit -u USERNAME -v Unix username: USERNAME NT username: USERNAME Account Flags: [U ] User SID: **DELETED** Primary Group SID: **DELETED** Full Name: USERNAME Home Directory: HomeDir Drive: H: Logon Script: logon.bat Profile Path: Domain: WORKGROUP Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: Tue, 19 Jan 2038 12:14:07 JST Kickoff time: Tue, 19 Jan 2038 12:14:07 JST Password last set: Sat, 26 Jul 2014 13:05:40 JST Password can change: Sat, 26 Jul 2014 13:05:40 JST Password must change: Fri, 24 Oct 2014 13:05:40 JST Last bad password : 0 Bad password count : 0 Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF # pdbedit -P "maximum password age" -v account policy "maximum password age" description: Maximum password age, in seconds (default: -1 => never expire passwords) account policy "maximum password age" value is: 7776000 # pdbedit -P "minimum password age" -v account policy "minimum password age" description: Minimal password age, in seconds (default: 0 => allow immediate password change) account policy "minimum password age" value is: 0 # pdbedit -P "user must logon to change password" -v account policy "user must logon to change password" description: Force Users to logon for password change (default: 0 => off, 2 => on) account policy "user must logon to change password" value is: 2 # pdbedit -P "refuse machine password change" -v account policy "refuse machine password change" description: Allow Machine Password changes (default: 0 => off) account policy "refuse machine password change" value is: 0 When I run smbpasswd (smbpasswd -U USERNAME) from a non-root user, it dies with: SPNEGO login failed: Password expired (shown when -D 10) cli_init_creds: user domain (shown when -D 10) Failed to change password! I can?t paste all the server logs here but the following log seem to be related (log level 50): [2014/10/24 14:34:08.679682, 5] auth/check_samsec.c:165(logon_hours_ok) logon_hours_ok: user USERNAME allowed to logon at this time (Fri Oct 24 05:34:08 2014 ) [2014/10/24 14:34:08.679736, 4] smbd/sec_ctx.c:214(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2014/10/24 14:34:08.679773, 4] smbd/uid.c:460(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2014/10/24 14:34:08.679809, 4] smbd/sec_ctx.c:314(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2014/10/24 14:34:08.679845, 5] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2014/10/24 14:34:08.679881, 5] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2014/10/24 14:34:08.679942, 11] passdb/pdb_ldap.c:4040(ldapsam_get_account_policy) ldapsam_get_account_policy: got valid value from cache [2014/10/24 14:34:08.679982, 4] smbd/sec_ctx.c:422(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2014/10/24 14:34:08.680020, 1] auth/check_samsec.c:224(sam_account_ok) sam_account_ok: Account for user 'USERNAME' password expired! [2014/10/24 14:34:08.680062, 1] auth/check_samsec.c:225(sam_account_ok) sam_account_ok: Password expired at 'Fri, 24 Oct 2014 13:05:40 JST' (1414123540) unix time. [2014/10/24 14:34:08.680108, 5] auth/auth.c:271(check_ntlm_password) check_ntlm_password: sam authentication for user [USERNAME] FAILED with error NT_STATUS_PASSWORD_EXPIRED [2014/10/24 14:34:08.680152, 10] auth/auth_winbind.c:50(check_winbind_security) Check auth for: [USERNAME] [2014/10/24 14:34:08.680188, 3] auth/auth_winbind.c:60(check_winbind_security) check_winbind_security: Not using winbind, requested domain [WORKGROUP] was for this SAM. [2014/10/24 14:34:08.680223, 10] auth/auth.c:259(check_ntlm_password) check_ntlm_password: winbind had nothing to say [2014/10/24 14:34:08.680260, 2] auth/auth.c:319(check_ntlm_password) check_ntlm_password: Authentication for user [USERNAME] -> [USERNAME] FAILED with error NT_STATUS_PASSWORD_EXPIRED [2014/10/24 14:34:08.680306, 3] smbd/error.c:81(error_packet_set) error packet at smbd/sesssetup.c(124) cmd=115 (SMBsesssetupX) NT_STATUS_PASSWORD_EXPIRED The issue I?m having sounds like the bug mentioned in the bug report below: https://bugzilla.samba.org/show_bug.cgi?id=4085 However, since I am running a version which should have the patch applied, I don?t think this bug applies to my case. So, can anyone shed some light on what?s going on here? Best Regards, Yudai Yamagishi
Ricky Nance
2014-Oct-25 03:36 UTC
[Samba] Changing user account passwords using smbpasswd after password expiration
Hi Yudai, On Oct 24, 2014 12:51 AM, "Yudai Yamagishi" <yummy at sfc.wide.ad.jp> wrote:> > Hello, > > I?m currently having a problem where a non-root user can?t change his/herown> password using smbpasswd command after the password expiration and would > like to know how I could solve this problem.I think this is expected behavior for all systems, I know for sure this is how a windows domain acts. Once the password is expired, the user shouldn't be able to access the system (to reset or otherwise).> > Currently, I have a samba server running on CentOS 6.5 with its passdbbackend> configured to another LDAP server. The samba version I?m currently usingis> samba-3.6.9-169 which should be the latest version provided by yum onCentOS 6.> The setup is working perfectly as it should except for the one issue Imentioned above,> which is, an user with expired password cannot change its own passwordusing> smbpasswd command. > > I currently have the following samba-related entries in each user in myLDAP database:> sambaLogonTime: 0 > sambaLogoffTime: 2147483647 > sambaKickoffTime: 2147483647 > sambaPwdCanChange: 0 > sambaPwdMustChange: 2147483647 > sambaPwdLastSet: 1406347540 > > Also, I have sambaDomainName=WORKGROUP with entries like the following: > sambaMinPwdAge: 0 > sambaPwdHistoryLength: 0 > sambaMinPwdLength: 6 > sambaLogonToChgPwd: 2 > sambaLockoutDuration: 1 > sambaMaxPwdAge: 7776000 > sambaLockoutObservationWindow: 1 > sambaLockoutThreshold: 5 > > With these settings pdbedit shows the following output: > # pdbedit -u USERNAME -v > Unix username: USERNAME > NT username: USERNAME > Account Flags: [U ] > User SID: **DELETED** > Primary Group SID: **DELETED** > Full Name: USERNAME > Home Directory: > HomeDir Drive: H: > Logon Script: logon.bat > Profile Path: > Domain: WORKGROUP > Account desc: > Workstations: > Munged dial: > Logon time: 0 > Logoff time: Tue, 19 Jan 2038 12:14:07 JST > Kickoff time: Tue, 19 Jan 2038 12:14:07 JST > Password last set: Sat, 26 Jul 2014 13:05:40 JST > Password can change: Sat, 26 Jul 2014 13:05:40 JST > Password must change: Fri, 24 Oct 2014 13:05:40 JST > Last bad password : 0 > Bad password count : 0 > Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF > > # pdbedit -P "maximum password age" -v > account policy "maximum password age" description: Maximum password age,in seconds (default: -1 => never expire passwords)> account policy "maximum password age" value is: 7776000 > > # pdbedit -P "minimum password age" -v > account policy "minimum password age" description: Minimal password age,in seconds (default: 0 => allow immediate password change)> account policy "minimum password age" value is: 0 > > # pdbedit -P "user must logon to change password" -v > account policy "user must logon to change password" description: ForceUsers to logon for password change (default: 0 => off, 2 => on)> account policy "user must logon to change password" value is: 2 > > # pdbedit -P "refuse machine password change" -v > account policy "refuse machine password change" description: AllowMachine Password changes (default: 0 => off)> account policy "refuse machine password change" value is: 0 > > When I run smbpasswd (smbpasswd -U USERNAME) from a non-root user, itdies with:> SPNEGO login failed: Password expired (shown when -D 10) > cli_init_creds: user domain (shown when -D 10) > Failed to change password! > > I can?t paste all the server logs here but the following log seem to berelated (log level 50):> [2014/10/24 14:34:08.679682, 5] auth/check_samsec.c:165(logon_hours_ok) > logon_hours_ok: user USERNAME allowed to logon at this time (Fri Oct 2405:34:08 2014> ) > [2014/10/24 14:34:08.679736, 4] smbd/sec_ctx.c:214(push_sec_ctx) > push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 > [2014/10/24 14:34:08.679773, 4] smbd/uid.c:460(push_conn_ctx) > push_conn_ctx(0) : conn_ctx_stack_ndx = 0 > [2014/10/24 14:34:08.679809, 4] smbd/sec_ctx.c:314(set_sec_ctx) > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 > [2014/10/24 14:34:08.679845, 5]../libcli/security/security_token.c:53(security_token_debug)> Security token: (NULL) > [2014/10/24 14:34:08.679881, 5]auth/token_util.c:527(debug_unix_user_token)> UNIX token of user 0 > Primary group is 0 and contains 0 supplementary groups > [2014/10/24 14:34:08.679942, 11]passdb/pdb_ldap.c:4040(ldapsam_get_account_policy)> ldapsam_get_account_policy: got valid value from cache > [2014/10/24 14:34:08.679982, 4] smbd/sec_ctx.c:422(pop_sec_ctx) > pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 > [2014/10/24 14:34:08.680020, 1] auth/check_samsec.c:224(sam_account_ok) > sam_account_ok: Account for user 'USERNAME' password expired! > [2014/10/24 14:34:08.680062, 1] auth/check_samsec.c:225(sam_account_ok) > sam_account_ok: Password expired at 'Fri, 24 Oct 2014 13:05:40 JST'(1414123540) unix time.> [2014/10/24 14:34:08.680108, 5] auth/auth.c:271(check_ntlm_password) > check_ntlm_password: sam authentication for user [USERNAME] FAILED witherror NT_STATUS_PASSWORD_EXPIRED> [2014/10/24 14:34:08.680152, 10]auth/auth_winbind.c:50(check_winbind_security)> Check auth for: [USERNAME] > [2014/10/24 14:34:08.680188, 3]auth/auth_winbind.c:60(check_winbind_security)> check_winbind_security: Not using winbind, requested domain [WORKGROUP]was for this SAM.> [2014/10/24 14:34:08.680223, 10] auth/auth.c:259(check_ntlm_password) > check_ntlm_password: winbind had nothing to say > [2014/10/24 14:34:08.680260, 2] auth/auth.c:319(check_ntlm_password) > check_ntlm_password: Authentication for user [USERNAME] -> [USERNAME]FAILED with error NT_STATUS_PASSWORD_EXPIRED> [2014/10/24 14:34:08.680306, 3] smbd/error.c:81(error_packet_set) > error packet at smbd/sesssetup.c(124) cmd=115 (SMBsesssetupX)NT_STATUS_PASSWORD_EXPIRED> > > The issue I?m having sounds like the bug mentioned in the bug reportbelow:> https://bugzilla.samba.org/show_bug.cgi?id=4085 > However, since I am running a version which should have the patch applied, > I don?t think this bug applies to my case. > > So, can anyone shed some light on what?s going on here? > > Best Regards, > Yudai Yamagishi > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/sambaHope that helps, Ricky