thr3ads.net - samba - [Samba] Password change question/1: smbpasswd does not propagate passwords?! [Oct 2017]

If this information is useful, please help other people find it:
Share via:

Marco Gaiarin

2017-Oct-30 15:41 UTC

[Samba] Password change question/1: smbpasswd does not propagate passwords?!

Doing some test i've done, as root, in one DC:

 root at vdcpp1:~# smbpasswd gaio
 New SMB password:
 Retype new SMB password:
 root at vdcpp1:~# pdbedit -v gaio
 Unix username:        gaio
 NT username:          
 Account Flags:        [U          ]
 User SID:             S-1-5-21-160080369-3601385002-3131615632-1105
 Primary Group SID:    S-1-5-21-160080369-3601385002-3131615632-513
 Full Name:            Marco Gaiarin
 Home Directory:       
 HomeDir Drive:        (null)
 Logon Script:         
 Profile Path:         
 Domain:               
 Account desc:         Marco Gaiarin
 Workstations:         
 Munged dial:          
 Logon time:           0
 Logoff time:          never
 Kickoff time:         gio, 14 set 30828 04:48:05 CEST
 Password last set:    lun, 30 ott 2017 15:59:07 CET
 Password can change:  lun, 30 ott 2017 15:59:07 CET
 Password must change: never
 Last bad password   : 0
 Bad password count  : 0
 Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

so password seems changed. Then, i've done, on the other DC:

 root at vdcsv1:~# pdbedit -v gaio
 Unix username:        gaio
 NT username:          
 Account Flags:        [U          ]
 User SID:             S-1-5-21-160080369-3601385002-3131615632-1105
 Primary Group SID:    S-1-5-21-160080369-3601385002-3131615632-513
 Full Name:            Marco Gaiarin
 Home Directory:       
 HomeDir Drive:        (null)
 Logon Script:         
 Profile Path:         
 Domain:               
 Account desc:         Marco Gaiarin
 Workstations:         
 Munged dial:          
 Logon time:           lun, 30 ott 2017 12:49:12 CET
 Logoff time:          0
 Kickoff time:         gio, 14 set 30828 04:48:05 CEST
 Password last set:    ven, 20 ott 2017 16:52:13 CEST
 Password can change:  ven, 20 ott 2017 16:52:13 CEST
 Password must change: never
 Last bad password   : 0
 Bad password count  : 0
 Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

So, password seems get not propagated.


I've done, on the first DC, 'su - gaio' and then:
 LNFFVG\gaio at vdcpp1:/$ samba-tool user password
 Password for [LNFFVG\gaio]:
 New Password: 
 Retype Password: 
 Changed password OK
 LNFFVG\gaio at vdcpp1:/$ logout
 root at vdcpp1:~# pdbedit -v gaio
 Unix username:        gaio
 NT username:          
 Account Flags:        [U          ]
 User SID:             S-1-5-21-160080369-3601385002-3131615632-1105
 Primary Group SID:    S-1-5-21-160080369-3601385002-3131615632-513
 Full Name:            Marco Gaiarin
 Home Directory:       
 HomeDir Drive:        (null)
 Logon Script:         
 Profile Path:         
 Domain:               
 Account desc:         Marco Gaiarin
 Workstations:         
 Munged dial:          
 Logon time:           0
 Logoff time:          never
 Kickoff time:         gio, 14 set 30828 04:48:05 CEST
 Password last set:    lun, 30 ott 2017 16:09:21 CET
 Password can change:  lun, 30 ott 2017 16:09:21 CET
 Password must change: never
 Last bad password   : 0
 Bad password count  : 0
 Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

and in this way password get correctly propagated to second DC:

 root at vdcsv1:~# pdbedit -v gaio
 Unix username:        gaio
 NT username:          
 Account Flags:        [U          ]
 User SID:             S-1-5-21-160080369-3601385002-3131615632-1105
 Primary Group SID:    S-1-5-21-160080369-3601385002-3131615632-513
 Full Name:            Marco Gaiarin
 Home Directory:       
 HomeDir Drive:        (null)
 Logon Script:         
 Profile Path:         
 Domain:               
 Account desc:         Marco Gaiarin
 Workstations:         
 Munged dial:          
 Logon time:           lun, 30 ott 2017 12:49:12 CET
 Logoff time:          0
 Kickoff time:         gio, 14 set 30828 04:48:05 CEST
 Password last set:    lun, 30 ott 2017 16:09:57 CET
 Password can change:  lun, 30 ott 2017 16:09:57 CET
 Password must change: never
 Last bad password   : 0
 Bad password count  : 0
 Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF


Note that still there's some differences (eg, 'Logon time' and
'Logoff
time').


So, the question: how replica works?! I'm confused...


Thanks.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

Marco Gaiarin

2017-Oct-31 16:59 UTC

head link

[Samba] Password change question/1: smbpasswd does not propagate passwords?!

I reply to myself...
> So, the question: how replica works?! I'm confused...
To add ''strangeness'', i've done another password change,
on DC1, and
verified that password change time does not propagate to DC2.
After that i've done a ssh logon on DC2 (with that user, of course) and
i was able to use the new password, and password change time get
''syncronized''.


After that, i'm now adding a bunch of users on DC2, and they not appear
on DC1.


It is normal? How can i debug this, or force a sync?


Thanks.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

Rowland Penny

2017-Oct-31 17:37 UTC

head link

[Samba] Password change question/1: smbpasswd does not propagate passwords?!

On Tue, 31 Oct 2017 17:59:40 +0100
Marco Gaiarin via samba <samba at lists.samba.org> wrote:
> 
> I reply to myself...
> 
> > So, the question: how replica works?! I'm confused...
> 
> To add ''strangeness'', i've done another password
change, on DC1, and
> verified that password change time does not propagate to DC2.
Are you sure that it isn't propogating ?
Have you checked the attribute 'pwdLastSet' in the users object in AD
on all DCs ?


ldbsearch -H /usr/local/samba/private/sam.ldb -b
"DC=samdom,DC=example,DC=com" -s sub
"(&(objectClass=user)(sAMAccountName=username))" pwdLastSet | grep
'[p]wdLastSet' | awk '{print $NF}'

Run the above command on all DCs, it should produce a number and the
number should be the same on all DCs

Replace:
/usr/local/samba/private/sam.ldb with the path to your sam.ldb
DC=samdom,DC=example,DC=com with your NC
username with a users name from your AD domain

You will also need ldb-tools installed.
> After that i've done a ssh logon on DC2 (with that user, of course)
> and i was able to use the new password, and password change time get
> ''syncronized''.
> 
> 
> After that, i'm now adding a bunch of users on DC2, and they not
> appear on DC1.
This is worrying, they should replicate to all DCs.
> 
> 
> It is normal? How can i debug this, or force a sync?
Definitely not normal, how are you creating users ?

Have a look at 'samba-tool ldapcmp --help' to check the AD databases.

Rowland

samba - Oct 2017 - Password change question/1: smbpasswd does not propagate passwords?!

[Samba] Password change question/1: smbpasswd does not propagate passwords?!

[Samba] Password change question/1: smbpasswd does not propagate passwords?!

[Samba] Password change question/1: smbpasswd does not propagate passwords?!