[Samba] user login passwords are mixed up

oeh univie edv lists edv-lists at oeh.univie.ac.at
Sat Feb 20 22:05:32 UTC 2016 

Hello,

In what samba version is parameter "old password allowed period"
introduced?

This parameter seems be the remedy to my problem but I cannot find it with
"testparm -v | grep password"
or in my
"man smb.conf"

Does it even exist in 4.1.17 (just the regular debian package)?

In this document it says it is for samba version 4:
https://www.mankier.com/5/smb.conf

I found this where the parameter is introduced:
https://jelmer.uk/klaus/samba/commit/9d5f4cabf3f491fd1c22dbc1daaad8a657d12914/

Is there an easy solution to use this paramter in 4.1.17?

I set "Enforce Password History" to value "0" in the GPO. Login with the
previous old password is no longer possible BUT I cannot change the new
password to any old passwords. That should be possible with no history,
shouldn't it? I tried it several times. Somehow the password history still
works regarding that. But why? I moved gencache.tdb in /var/cache/samba to
oldgenchache.tdb but still the same behaviour... I restarted samba... Why
does the password history still work? Where does Samba store the password
history?

This behaviour is perfect for what I want, but there is no logic in it.
There must be some lack of understanding here...

And for what reasons should one want a 60 minutes permit on NTLM login
after a password change anyway?

kind regards, birgit


Rowland penny <rpenny at samba.org> schreibt:
>On 04/02/16 20:02, oeh univie edv lists wrote:
>> Hello,
>>
>> Some users in my domain report that they have to use different (old)
>> passwords on different computers. They say that they still have to use
>> their "old" passwords after they changed it. My domain setup is that
>users
>> are asked to automatically change their password on Windows 7 Enterprise
>> after some months. So they have to do that. Otherwise they cannot login.
>> But why is it, that the old password is still requested on some
>computers?
>> Can this happen, when users do not turn off Windows 7 computers (are
>still
>> logged in on the PC where they changed the passwort) and switch to other
>> computers?
>>
>> I looked in all relevant logs in /var/log, auth.log and in all logs in
>> directory samba. I cannot even find ANY information for user
>> authentication. Where to look? Which log is relevant? How to rise the
>log
>> level?
>>
>> I run a Samba Active Directory DC 4.1.17 on Debian Jessie.
>>
>> I attached some logs to the mail how /var/log looks ... hardly any
>looging
>> except for startups and shutdowns of samba. I restartet samba and
>attached
>> the logs. How to monitor this problem?
>>
>> Any help why this happens is much appreciated.
>>
>> KR, birgit
>>
>>
>>
>>
>> /var/log/samba
>> 20:50:33 # ls -la
>> insgesamt 76
>> drwxr-x--- 3 root adm   4096 Feb  3 06:25 .
>> drwxr-xr-x 9 root root  4096 Feb  4 06:25 ..
>> drwx------ 4 root root  4096 Okt  4 19:59 cores
>> -rw-r--r-- 1 root root     0 Okt  4 19:59 log.
>> -rw-r--r-- 1 root root     0 Okt 11 06:25 log.nmbd
>> -rw-r--r-- 1 root root   373 Okt  4 22:36 log.nmbd.1.gz
>> -rw-r--r-- 1 root root 47049 Feb  4 20:49 log.samba
>> -rw-r--r-- 1 root root   829 Feb  4 20:50 log.smbd
>> -rw-r--r-- 1 root root   394 Feb  2 17:46 log.smbd.1
>>
>>
>> more log.smbd
>> [2016/02/04 20:49:56,  0] ../source3/smbd/server.c:1189(main)
>>    smbd version 4.1.17-Debian started.
>>    Copyright Andrew Tridgell and the Samba Team 1992-2013
>> [2016/02/04 20:49:56.632305,  0]
>> ../lib/util/become_daemon.c:136(daemon_ready)
>>    STATUS=daemon 'smbd' finished starting up and ready to serve
>> connectionsUnable to connect to CUPS server localhost:631 - Ungültiger
>> Dateideskriptor
>>    STATUS=daemon 'smbd' finished starting up and ready to serve
>> connectionsfailed to retrieve printer list: NT_STATUS_UNSUCCESSFUL
>> [2016/02/04 20:50:56.705359,  0]
>> ../source3/printing/print_cups.c:151(cups_connect)
>>    Unable to connect to CUPS server localhost:631 - Ungültiger
>> Dateideskriptor
>> [2016/02/04 20:50:56.705745,  0]
>> ../source3/printing/print_cups.c:528(cups_async_callback)
>>    failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL
>>
>> more samba.log
>> [2016/02/04 20:49:55.974285,  0]
>> ../source4/smbd/server.c:370(binary_smbd_main)
>>    samba version 4.1.17-Debian started.
>>    Copyright Andrew Tridgell and the Samba Team 1992-2013
>> [2016/02/04 20:49:56.170079,  0]
>> ../source4/smbd/server.c:488(binary_smbd_main)
>>    samba: using 'standard' process model
>> samba: setproctitle not initialized, please either call
>> setproctitle_init() or link against libbsd-ctor.
>> samba: setproctitle not initialized, please either call
>> setproctitle_init() or link against libbsd-ctor.
>> samba: setproctitle not initialized, please either call
>> setproctitle_init() or link against libbsd-ctor.
>> samba: setproctitle not initialized, please either call
>> setproctitle_init() or link against libbsd-ctor.
>> samba: setproctitle not initialized, please either call
>> setproctitle_init() or link against libbsd-ctor.
>> samba: setproctitle not initialized, please either call
>> setproctitle_init() or link against libbsd-ctor.
>> samba: setproctitle not initialized, please either call
>> setproctitle_init() or link against libbsd-ctor.
>> samba: setproctitle not initialized, please either call
>> setproctitle_init() or link against libbsd-ctor.
>> samba: setproctitle not initialized, please either call
>> setproctitle_init() or link against libbsd-ctor.
>> [2016/02/04 20:49:56.217188,  0]
>> ../lib/util/become_daemon.c:136(daemon_ready)
>> samba: setproctitle not initialized, please either call
>> setproctitle_init() or link against libbsd-ctor.
>> samba: setproctitle not initialized, please either call
>> setproctitle_init() or link against libbsd-ctor.
>> samba: setproctitle not initialized, please either call
>> setproctitle_init() or link against libbsd-ctor.
>> samba: setproctitle not initialized, please either call
>> setproctitle_init() or link against libbsd-ctor.
>>
>>
>>
>>
>
>If a password is changed but the old password still works on *some* 
>windows machines, then this is very probably not a Samba problem, it 
>could in fact be a windows 'feature', see here:
>
>https://support.microsoft.com/en-us/kb/906305
>
>Rowland
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba


thank you! I found "Enforce Password History" in the GPO. It is set to 24
per default, so that the password has to be changed to 24 new passwords
before an old password can be changed to again... but to disable that
means that users can reuse their old password immediatley if they are
prompted for a new one... yet it is also annoying that the old ones are
still valid... I'd rather change the OldPasswordAllowedPeriod. But I do
not know how to do that...

More information about the samba mailing list