I'm doing some test moving from a NT domain to ad AD domain, using
debian jessie samba (4.2) and obviously the 'classicupgrade' procedure.
In my setup i use(d) extensively some script to reset password to
users. I was (ab)used to have 'smbpasswd' behave differently if
executed by root, eg change the password without taking in
consideration password policy and check password scripts.
This seems not the case for AD mode (using 'gaio' as password):
root at lupus:~# smbpasswd gaio
New SMB password:
Retype new SMB password:
Failed to modify account record
CN=gaio,CN=Users,DC=ad,DC=corsi,DC=sv,DC=lnf,DC=it to set user attributes:
0000052D: Constraint violation - check_password_restrictions: the password is
too short. It should be equal or longer than 8 characters!
Failed to modify entry for user gaio.
root at lupus:~# samba-tool user setpassword gaio
New Password:
ERROR: Failed to set password for user 'gaio': (19, '0000052D:
Constraint violation - check_password_restrictions: the password is too short.
It should be equal or longer than 8 characters!')
This is ''intended'', or is a bug of samba 4.2 version?
There's some way to circumvent it?
Thanks.
--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
Associazione ``La Nostra Famiglia''
http://www.lanostrafamiglia.it/
Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN)
marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797
Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
On Wed, 21 Jun 2017 10:44:02 +0200 Marco Gaiarin via samba <samba at lists.samba.org> wrote:> > I'm doing some test moving from a NT domain to ad AD domain, using > debian jessie samba (4.2) and obviously the 'classicupgrade' > procedure.You will probably be better off using a later version of Samba, 4.2 is EOL as far as Samba is concerned. You can easily do this by going here: http://apt.van-belle.nl/> > In my setup i use(d) extensively some script to reset password to > users. I was (ab)used to have 'smbpasswd' behave differently if > executed by root, eg change the password without taking in > consideration password policy and check password scripts. > > This seems not the case for AD mode (using 'gaio' as password): > > root at lupus:~# smbpasswd gaio > New SMB password: > Retype new SMB password: > Failed to modify account record > CN=gaio,CN=Users,DC=ad,DC=corsi,DC=sv,DC=lnf,DC=it to set user > attributes: 0000052D: Constraint violation - > check_password_restrictions: the password is too short. It should be > equal or longer than 8 characters! Failed to modify entry for user > gaio. > > root at lupus:~# samba-tool user setpassword gaio > New Password: > ERROR: Failed to set password for user 'gaio': (19, '0000052D: > Constraint violation - check_password_restrictions: the password is > too short. It should be equal or longer than 8 characters!') > > This is ''intended'', or is a bug of samba 4.2 version? > > > There's some way to circumvent it?It all depends if you are trying to change the passwords after the new AD domain is created, or during the upgrade. If it is the later, then probably not, but if you are changing them once the domain is up and running, you can use another samba-tool command: samba-tool domain passwordsettings set --complexity=off Rowland
Mandi! Rowland Penny via samba In chel di` si favelave...> You will probably be better off using a later version of Samba, 4.2 is > EOL as far as Samba is concerned. You can easily do this by going here: > http://apt.van-belle.nl/Thanks for the link. Could be sufficient to use 'backported' samba package, eg, samba from squeeze?> > There's some way to circumvent it? > It all depends if you are trying to change the passwords after the new > AD domain is created, or during the upgrade.After, after... sorry, i've not specified it...> the domain is up and running, you can use another samba-tool command: > samba-tool domain passwordsettings set --complexity=off...apart that samba-tool in 4.2 seems does not have a --complexity=off parameters, you mean i've to turn off password complexity, do a password change, and the restore it (i suppose --complexity=on)? There's really no way to set/force a password?! -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Mandi! Rowland Penny via samba In chel di` si favelave...> samba-tool domain passwordsettings set --complexity=offAhem, i've typed '--comploxity'... sorry... OK, option is available in samba-tool in 4.2, but does not seems to work: root at lupus:~# samba-tool domain passwordsettings set --complexity=off Password complexity deactivated! All changes applied successfully! root at lupus:~# smbpasswd gaio New SMB password: Retype new SMB password: Failed to modify account record CN=gaio,CN=Users,DC=ad,DC=corsi,DC=sv,DC=lnf,DC=it to set user attributes: 0000052D: Constraint violation - check_password_restrictions: the password is too short. It should be equal or longer than 8 characters! Failed to modify entry for user gaio. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
On Wed, 21 Jun 2017 14:10:24 +0200 Marco Gaiarin <gaio at sv.lnf.it> wrote:> Mandi! Rowland Penny via samba > In chel di` si favelave... > > > You will probably be better off using a later version of Samba, 4.2 > > is EOL as far as Samba is concerned. You can easily do this by > > going here: http://apt.van-belle.nl/ > > Sorry, i've tried to upgrade using the 'backport' version (eg, samba > from stretch) but i'm hitting a trouble on winbind: > > root at lupus:~# dpkg --configure --pending > Configurazione di winbind (2:4.5.8+dfsg-2~bpo8+1)... > Job for winbind.service failed. See 'systemctl status > winbind.service' and 'journalctl -xn' for details. invoke-rc.d: > initscript winbind, action "start" failed. dpkg: errore > nell'elaborare il pacchetto winbind (--configure): il sottoprocesso > installato script di post-installation ha restituito lo stato di > errore 1 dpkg: problemi con le dipendenze impediscono la > configurazione di libpam-winbind:amd64: libpam-winbind:amd64 dipende > da winbind (= 2:4.5.8+dfsg-2~bpo8+1); comunque: Il pacchetto winbind > non è ancora configurato. > > dpkg: errore nell'elaborare il pacchetto libpam-winbind:amd64 > (--configure): problemi con le dipendenze - lasciato non configurato > dpkg: problemi con le dipendenze impediscono la configurazione di > libnss-winbind:amd64: libnss-winbind:amd64 dipende da winbind (> 2:4.5.8+dfsg-2~bpo8+1); comunque: Il pacchetto winbind non è ancora > configurato. > > dpkg: errore nell'elaborare il pacchetto libnss-winbind:amd64 > (--configure): problemi con le dipendenze - lasciato non configurato > Elaborazione dei trigger per libc-bin (2.19-18+deb8u10)... > Si sono verificati degli errori nell'elaborazione: > winbind > libpam-winbind:amd64 > libnss-winbind:amd64 > > > looking at logs: > > root at lupus:~# journalctl -xn > -- Logs begin at mer 2017-06-21 12:30:13 CEST, end at mer 2017-06-21 > 14:07:55 CEST. -- giu 21 14:07:54 lupus > systemd-fstab-generator[16314]: Checking was requested for > "/var/src", but it is not a device. giu 21 14:07:55 lupus > systemd-sysv-generator[16319]: Ignoring creation of an alias > umountiscsi.service for itself giu 21 14:07:55 lupus systemd[1]: > Reloading. giu 21 14:07:55 lupus systemd-fstab-generator[16344]: > Checking was requested for "/var/tmp", but it is not a device. giu 21 > 14:07:55 lupus systemd-fstab-generator[16344]: Checking was requested > for "/var/src", but it is not a device. giu 21 14:07:55 lupus > systemd-sysv-generator[16349]: Ignoring creation of an alias > umountiscsi.service for itself giu 21 14:07:55 lupus systemd[1]: > Starting Samba Winbind Daemon... -- Subject: L'unità winbind.service > inizia la fase di avvio -- Defined-By: systemd -- Support: > http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- > L'unità winbind.service ha iniziato la fase di avvio. giu 21 14:07:55 > lupus systemd[1]: winbind.service: main process exited, code=exited, > status=1/FAILURE giu 21 14:07:55 lupus systemd[1]: Failed to start > Samba Winbind Daemon. -- Subject: L'unità winbind.service è fallita > -- Defined-By: systemd -- Support: > http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- > L'unità winbind.service è fallita. -- -- Il risultato è failed. > giu 21 14:07:55 lupus systemd[1]: Unit winbind.service entered > failed state. > > > before firing up a bugs in debian BTS, i'll ask you if there's know > glitches in your package. > > > Thanks. >Hi Louis, I 'think' this guy is trying to use your packages, but as you can see, he is having problems, anything you can do to help ? Rowland
L.P.H. van Belle
2017-Jun-21 13:03 UTC
[Samba] Classic upgrade and forced password change...
Sorry, i see jessie in his packages. I have had a look in the bug reports. See : https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=816301 Post smb.conf also so we can check if you have more config errors.>From the above link, if you have :'security = share' Change that to security = user map to guest = Bad User Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > L.P.H. van Belle via samba > Verzonden: woensdag 21 juni 2017 14:53 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Classic upgrade and forced password change... > > Yes, a know thing, but is he using jessie or stretch. > > The upgrade from samba 4.2.x to 4.4.5 or up. > > Few options. > > 1) check if /etc/nsswitch.conf contains : > ,,, : compat winbind > And not : winbid compat > That bug is yesterday reported in debian. > > apt-get remove samba winbind samba-* > When done > apt-get install samba winbind > > This keeps all data. > Just dont purge. > > Let me know if it worked for you. > > Greetz, > > Louis > > > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland Penny > > via samba > > Verzonden: woensdag 21 juni 2017 14:38 > > Aan: samba at lists.samba.org > > Onderwerp: Re: [Samba] Classic upgrade and forced password change... > > > > On Wed, 21 Jun 2017 14:10:24 +0200 > > Marco Gaiarin <gaio at sv.lnf.it> wrote: > > > > > Mandi! Rowland Penny via samba > > > In chel di` si favelave... > > > > > > > You will probably be better off using a later version of > > Samba, 4.2 > > > > is EOL as far as Samba is concerned. You can easily do > > this by going > > > > here: http://apt.van-belle.nl/ > > > > > > Sorry, i've tried to upgrade using the 'backport' version > > (eg, samba > > > from stretch) but i'm hitting a trouble on winbind: > > > > > > root at lupus:~# dpkg --configure --pending Configurazione > di winbind > > > (2:4.5.8+dfsg-2~bpo8+1)... > > > Job for winbind.service failed. See 'systemctl status > > winbind.service' > > > and 'journalctl -xn' for details. invoke-rc.d: > > > initscript winbind, action "start" failed. dpkg: errore > > nell'elaborare > > > il pacchetto winbind (--configure): il sottoprocesso > > installato script > > > di post-installation ha restituito lo stato di errore 1 > > dpkg: problemi > > > con le dipendenze impediscono la configurazione di > > > libpam-winbind:amd64: libpam-winbind:amd64 dipende da winbind (= > > > 2:4.5.8+dfsg-2~bpo8+1); comunque: Il pacchetto winbind > non è ancora > > > configurato. > > > > > > dpkg: errore nell'elaborare il pacchetto libpam-winbind:amd64 > > > (--configure): problemi con le dipendenze - lasciato non > configurato > > > dpkg: problemi con le dipendenze impediscono la configurazione di > > > libnss-winbind:amd64: libnss-winbind:amd64 dipende da winbind (= > > > 2:4.5.8+dfsg-2~bpo8+1); comunque: Il pacchetto winbind > non è ancora > > > configurato. > > > > > > dpkg: errore nell'elaborare il pacchetto libnss-winbind:amd64 > > > (--configure): problemi con le dipendenze - lasciato non > > configurato > > > Elaborazione dei trigger per libc-bin (2.19-18+deb8u10)... > > > Si sono verificati degli errori nell'elaborazione: > > > winbind > > > libpam-winbind:amd64 > > > libnss-winbind:amd64 > > > > > > > > > looking at logs: > > > > > > root at lupus:~# journalctl -xn > > > -- Logs begin at mer 2017-06-21 12:30:13 CEST, end at mer > > 2017-06-21 > > > 14:07:55 CEST. -- giu 21 14:07:54 lupus > > > systemd-fstab-generator[16314]: Checking was requested for > > "/var/src", > > > but it is not a device. giu 21 14:07:55 lupus > > > systemd-sysv-generator[16319]: Ignoring creation of an alias > > > umountiscsi.service for itself giu 21 14:07:55 lupus systemd[1]: > > > Reloading. giu 21 14:07:55 lupus systemd-fstab-generator[16344]: > > > Checking was requested for "/var/tmp", but it is not a > > device. giu 21 > > > 14:07:55 lupus systemd-fstab-generator[16344]: Checking was > > requested > > > for "/var/src", but it is not a device. giu 21 14:07:55 lupus > > > systemd-sysv-generator[16349]: Ignoring creation of an alias > > > umountiscsi.service for itself giu 21 14:07:55 lupus systemd[1]: > > > Starting Samba Winbind Daemon... -- Subject: L'unità > > winbind.service > > > inizia la fase di avvio -- Defined-By: systemd -- Support: > > > http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- > > > L'unità winbind.service ha iniziato la fase di avvio. giu > > 21 14:07:55 > > > lupus systemd[1]: winbind.service: main process exited, > > code=exited, > > > status=1/FAILURE giu 21 14:07:55 lupus systemd[1]: Failed > to start > > > Samba Winbind Daemon. -- Subject: L'unità winbind.service > è fallita > > > -- Defined-By: systemd -- Support: > > > http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- > > > L'unità winbind.service è fallita. -- -- Il risultato è failed. > > > giu 21 14:07:55 lupus systemd[1]: Unit winbind.service > > entered failed > > > state. > > > > > > > > > before firing up a bugs in debian BTS, i'll ask you if > there's know > > > glitches in your package. > > > > > > > > > Thanks. > > > > > > > Hi Louis, I 'think' this guy is trying to use your packages, but as > > you can see, he is having problems, anything you can do to help ? > > > > Rowland > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >