samba - Aug 2024 - Password caching issue

Hey list,

i've stumbled upon a very strange behaviour.

I change the user password on the pdc with "samba-tool user setpassword
..."
two times in a row, without login in or out anywhere, to make sure the 
password
is only stored on the dcs.
After doin so i am able to login into our webmail interface, which 
authentificates for
testing only against the pdc, with both passwords for about 45 - 60 
minutes. After
that time the login is only possible with the last password set.

Is there any password caching mechanism in Samba which i am not aware 
off? And if
so, is it possible to shorten the time or even disable it at all?

Thanks in advance

Daniel

On Fri, 2 Aug 2024 11:50:00 +0200
Daniel Jordan via samba <samba at lists.samba.org> wrote:
> Hey list,
> 
> i've stumbled upon a very strange behaviour.
> 
> I change the user password on the pdc with "samba-tool user
> setpassword ..." 
How do you use samba-tool with a PDC ?
Hang on, I think you mean the AD DC with FSMO roles, a PDC is something
else entirely.
 
>two times in a row, without login in or out
> anywhere, to make sure the password
> is only stored on the dcs.
> After doin so i am able to login into our webmail interface, which 
> authentificates for
> testing only against the pdc, with both passwords for about 45 - 60 
> minutes. After
> that time the login is only possible with the last password set.
> 
> Is there any password caching mechanism in Samba which i am not aware 
> off? And if
> so, is it possible to shorten the time or even disable it at all?
> 
> Thanks in advance
> 
> Daniel
> 
Nothing you can do to stop this (except for using kerberos), it is a
feature of AD, for approx 60 minutes both passwords are valid.

Rowland