samba - Feb 2016 - user login passwords are mixed up

Hello,

In what samba version is parameter "old password allowed period"
introduced?

This parameter seems be the remedy to my problem but I cannot find it with
"testparm -v | grep password"
or in my
"man smb.conf"

Does it even exist in 4.1.17 (just the regular debian package)?

In this document it says it is for samba version 4:
https://www.mankier.com/5/smb.conf

I found this where the parameter is introduced:
https://jelmer.uk/klaus/samba/commit/9d5f4cabf3f491fd1c22dbc1daaad8a657d12914/

Is there an easy solution to use this paramter in 4.1.17?

I set "Enforce Password History" to value "0" in the GPO.
Login with the
previous old password is no longer possible BUT I cannot change the new
password to any old passwords. That should be possible with no history,
shouldn't it? I tried it several times. Somehow the password history still
works regarding that. But why? I moved gencache.tdb in /var/cache/samba to
oldgenchache.tdb but still the same behaviour... I restarted samba... Why
does the password history still work? Where does Samba store the password
history?

This behaviour is perfect for what I want, but there is no logic in it.
There must be some lack of understanding here...

And for what reasons should one want a 60 minutes permit on NTLM login
after a password change anyway?

kind regards, birgit


Rowland penny <rpenny at samba.org> schreibt:
>On 04/02/16 20:02, oeh univie edv lists wrote:
>> Hello,
>>
>> Some users in my domain report that they have to use different (old)
>> passwords on different computers. They say that they still have to use
>> their "old" passwords after they changed it. My domain setup
is that
>users
>> are asked to automatically change their password on Windows 7
Enterprise
>> after some months. So they have to do that. Otherwise they cannot
login.
>> But why is it, that the old password is still requested on some
>computers?
>> Can this happen, when users do not turn off Windows 7 computers (are
>still
>> logged in on the PC where they changed the passwort) and switch to
other
>> computers?
>>
>> I looked in all relevant logs in /var/log, auth.log and in all logs in
>> directory samba. I cannot even find ANY information for user
>> authentication. Where to look? Which log is relevant? How to rise the
>log
>> level?
>>
>> I run a Samba Active Directory DC 4.1.17 on Debian Jessie.
>>
>> I attached some logs to the mail how /var/log looks ... hardly any
>looging
>> except for startups and shutdowns of samba. I restartet samba and
>attached
>> the logs. How to monitor this problem?
>>
>> Any help why this happens is much appreciated.
>>
>> KR, birgit
>>
>>
>>
>>
>> /var/log/samba
>> 20:50:33 # ls -la
>> insgesamt 76
>> drwxr-x--- 3 root adm   4096 Feb  3 06:25 .
>> drwxr-xr-x 9 root root  4096 Feb  4 06:25 ..
>> drwx------ 4 root root  4096 Okt  4 19:59 cores
>> -rw-r--r-- 1 root root     0 Okt  4 19:59 log.
>> -rw-r--r-- 1 root root     0 Okt 11 06:25 log.nmbd
>> -rw-r--r-- 1 root root   373 Okt  4 22:36 log.nmbd.1.gz
>> -rw-r--r-- 1 root root 47049 Feb  4 20:49 log.samba
>> -rw-r--r-- 1 root root   829 Feb  4 20:50 log.smbd
>> -rw-r--r-- 1 root root   394 Feb  2 17:46 log.smbd.1
>>
>>
>> more log.smbd
>> [2016/02/04 20:49:56,  0] ../source3/smbd/server.c:1189(main)
>>    smbd version 4.1.17-Debian started.
>>    Copyright Andrew Tridgell and the Samba Team 1992-2013
>> [2016/02/04 20:49:56.632305,  0]
>> ../lib/util/become_daemon.c:136(daemon_ready)
>>    STATUS=daemon 'smbd' finished starting up and ready to serve
>> connectionsUnable to connect to CUPS server localhost:631 - Ungültiger
>> Dateideskriptor
>>    STATUS=daemon 'smbd' finished starting up and ready to serve
>> connectionsfailed to retrieve printer list: NT_STATUS_UNSUCCESSFUL
>> [2016/02/04 20:50:56.705359,  0]
>> ../source3/printing/print_cups.c:151(cups_connect)
>>    Unable to connect to CUPS server localhost:631 - Ungültiger
>> Dateideskriptor
>> [2016/02/04 20:50:56.705745,  0]
>> ../source3/printing/print_cups.c:528(cups_async_callback)
>>    failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL
>>
>> more samba.log
>> [2016/02/04 20:49:55.974285,  0]
>> ../source4/smbd/server.c:370(binary_smbd_main)
>>    samba version 4.1.17-Debian started.
>>    Copyright Andrew Tridgell and the Samba Team 1992-2013
>> [2016/02/04 20:49:56.170079,  0]
>> ../source4/smbd/server.c:488(binary_smbd_main)
>>    samba: using 'standard' process model
>> samba: setproctitle not initialized, please either call
>> setproctitle_init() or link against libbsd-ctor.
>> samba: setproctitle not initialized, please either call
>> setproctitle_init() or link against libbsd-ctor.
>> samba: setproctitle not initialized, please either call
>> setproctitle_init() or link against libbsd-ctor.
>> samba: setproctitle not initialized, please either call
>> setproctitle_init() or link against libbsd-ctor.
>> samba: setproctitle not initialized, please either call
>> setproctitle_init() or link against libbsd-ctor.
>> samba: setproctitle not initialized, please either call
>> setproctitle_init() or link against libbsd-ctor.
>> samba: setproctitle not initialized, please either call
>> setproctitle_init() or link against libbsd-ctor.
>> samba: setproctitle not initialized, please either call
>> setproctitle_init() or link against libbsd-ctor.
>> samba: setproctitle not initialized, please either call
>> setproctitle_init() or link against libbsd-ctor.
>> [2016/02/04 20:49:56.217188,  0]
>> ../lib/util/become_daemon.c:136(daemon_ready)
>> samba: setproctitle not initialized, please either call
>> setproctitle_init() or link against libbsd-ctor.
>> samba: setproctitle not initialized, please either call
>> setproctitle_init() or link against libbsd-ctor.
>> samba: setproctitle not initialized, please either call
>> setproctitle_init() or link against libbsd-ctor.
>> samba: setproctitle not initialized, please either call
>> setproctitle_init() or link against libbsd-ctor.
>>
>>
>>
>>
>
>If a password is changed but the old password still works on *some* 
>windows machines, then this is very probably not a Samba problem, it 
>could in fact be a windows 'feature', see here:
>
>https://support.microsoft.com/en-us/kb/906305
>
>Rowland
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba

thank you! I found "Enforce Password History" in the GPO. It is set to
24
per default, so that the password has to be changed to 24 new passwords
before an old password can be changed to again... but to disable that
means that users can reuse their old password immediatley if they are
prompted for a new one... yet it is also annoying that the old ones are
still valid... I'd rather change the OldPasswordAllowedPeriod. But I do
not know how to do that...

On 20/02/16 22:05, oeh univie edv lists wrote:
> Hello,
>
> In what samba version is parameter "old password allowed period" 
> introduced?
>
> This parameter seems be the remedy to my problem but I cannot find it with
> "testparm -v | grep password"
> or in my
> "man smb.conf"
>
> Does it even exist in 4.1.17 (just the regular debian package)?
I think it came in with the implementation of bad password lockout in 
4.2.0, so I don't think you will have it on 4.1.17. Easiest way to get 
it would be to upgrade to the Sernet 4.2.x packages, or wait until 
Debian possibly backports 4.3.3 from sid.

>
> In this document it says it is for samba version 4:
> https://www.mankier.com/5/smb.conf
>
> I found this where the parameter is introduced:
>
https://jelmer.uk/klaus/samba/commit/9d5f4cabf3f491fd1c22dbc1daaad8a657d12914/
>
> Is there an easy solution to use this paramter in 4.1.17?
>
> I set "Enforce Password History" to value "0" in the
GPO. Login with
> the previous old password is no longer possible BUT I cannot change 
> the new password to any old passwords. That should be possible with no 
> history, shouldn't it? I tried it several times. Somehow the password 
> history still works regarding that. But why? I moved gencache.tdb in 
> /var/cache/samba to oldgenchache.tdb but still the same behaviour... I 
> restarted samba... Why does the password history still work? Where 
> does Samba store the password history?
Good question, not sure where it is stored, anybody know ?
>
> This behaviour is perfect for what I want, but there is no logic in 
> it. There must be some lack of understanding here...
>
> And for what reasons should one want a 60 minutes permit on NTLM login 
> after a password change anyway?
Again I don't know, I suggest you take it up with microsoft, Samba is 
just being compatible with windows here.

Rowland

Hallo, oeh,

Du meintest am 20.02.16:
> In what samba version is parameter "old password allowed period"
> introduced?
> This parameter seems be the remedy to my problem but I cannot find it
> with "testparm -v | grep password"
> or in my "man smb.conf"
Then try

        testparm -sv | grep password

That shows all active options, not only those you have defined.

Viele Gruesse!
Helmut

Thank you! That was the hint I needed with 4.2 and ""Bad Password
Lockout
in the AD DC". 

I did it via samba-tool this time and not via GPO with RSAT.

samba-tool domain passwordsettings set --history-length=0

samba-tool domain passwordsettings show
Password informations for domain 'DC=x,DC=x,DC=x'
Password complexity: on
Store plaintext passwords: off
Password history length: 0
Minimum password length: 7
Minimum password age (days): 1
Maximum password age (days): 42

systemctl restart samba-ad-dc.service

And the most important thing was to execute "GPUpdate.exe /force" in
command line on the windows computer where my RSAT runs with domain
administrator and restart the computer.

Now the behaviour is as one would expect. Previous old password doesn't
work any more. And when system requests you to change the password, you
can switch new password to the old password again. This would be a
security issue. 

Fine that it works but I will undo it and tell my users that this
"previous old password" login is no security problem but
"mircosoft
feature"... 

What I still do not understand is that what I see with "samba-tool domain
passwordsettings show" is not the same as in GPO via RSAT. The changes I
made with "samba-tool domain passwordsettings show" are not replicated
to
GPO via RSAT. Is it more stable to change GPO via RSAT or via samba-tool ?

thank you!
birgit


Rowland penny <rpenny at samba.org> schreibt:
>On 20/02/16 22:05, oeh univie edv lists wrote:
>> Hello,
>>
>> In what samba version is parameter "old password allowed
period"
>> introduced?
>>
>> This parameter seems be the remedy to my problem but I cannot find it
>with
>> "testparm -v | grep password"
>> or in my
>> "man smb.conf"
>>
>> Does it even exist in 4.1.17 (just the regular debian package)?
>
>I think it came in with the implementation of bad password lockout in 
>4.2.0, so I don't think you will have it on 4.1.17. Easiest way to get 
>it would be to upgrade to the Sernet 4.2.x packages, or wait until 
>Debian possibly backports 4.3.3 from sid.
>
>
>>
>> In this document it says it is for samba version 4:
>> https://www.mankier.com/5/smb.conf
>>
>> I found this where the parameter is introduced:
>>
>https://jelmer.uk/klaus/samba/commit/9d5f4cabf3f491fd1c22dbc1daaad8a657d12914/
>>
>> Is there an easy solution to use this paramter in 4.1.17?
>>
>> I set "Enforce Password History" to value "0" in
the GPO. Login with
>> the previous old password is no longer possible BUT I cannot change 
>> the new password to any old passwords. That should be possible with no 
>> history, shouldn't it? I tried it several times. Somehow the
password
>> history still works regarding that. But why? I moved gencache.tdb in 
>> /var/cache/samba to oldgenchache.tdb but still the same behaviour... I 
>> restarted samba... Why does the password history still work? Where 
>> does Samba store the password history?
>
>Good question, not sure where it is stored, anybody know ?
>
>>
>> This behaviour is perfect for what I want, but there is no logic in 
>> it. There must be some lack of understanding here...
>>
>> And for what reasons should one want a 60 minutes permit on NTLM login 
>> after a password change anyway?
>
>Again I don't know, I suggest you take it up with microsoft, Samba is 
>just being compatible with windows here.
>
>Rowland
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba