[Samba] User cannot change password

Kees van Vloten keesvanvloten at gmail.com
Thu Feb 22 12:02:55 UTC 2024 

Hi Team,


I am running Samba 4.19.4 on bookworm, clients are Windows 10 22H2 with 
automatic win-updates enabled.

The [global] section of smb.conf:
[global]
         netbios name = DC01
         realm = EXAMPLE.COM
         server role = active directory domain controller
         server services = -dns
         workgroup = EXAMPLE
         kerberos method = secrets and keytab
         kerberos encryption types = strong
         rpc server dynamic port range = 50000-55000
         ntlm auth = mschapv2-and-ntlmv2-only
         disable netbios = yes
         template homedir = /home/%U
         template shell = /bin/bash
         tls enabled = yes
         tls priority = NONE:+SECURE256:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3
         tls cafile = /etc/ssl/certs/ca.pem
         tls keyfile = /var/lib/samba/private/tls/dc01.example.com.key
         tls certfile = /etc/ssl/certs/dc01.example.com.crt
         load printers = no
         printing = bsd
         printcap name = /dev/null
         disable spoolss = yes
         smb ports = 445
         smbd profiling level = on
         server min protocol = SMB3_11
         client min protocol = SMB3_11
         restrict anonymous = 2
         map acl inherit = yes
         panic action = /usr/share/samba/panic-action %d
         server smb encrypt = desired
         interfaces = lo eth0
         bind interfaces only = yes
         allow dns updates = disabled
         ldap server require strong auth = yes
         ldap ssl = start tls
         dedicated keytab file = /var/lib/samba/private/secrets.keytab
         log level = 3 winbind:2 
auth_json_audit:3@/var/log/samba/audit_auth.log
         full_audit:success = open fsync_recv fsync_send ftruncate 
pwrite pwrite_recv pwrite_send renameat unlinkat write
         full_audit:failure = open pread read
         full_audit:prefix = samba: IP=%I|USER=%u|MACHINE=%m|VOLUME=%S
         full_audit:facility = local6
         full_audit:priority = NOTICE
         idmap config *:range = 1000000-1999999
         host msdfs = yes
         max log size = 0
         vfs objects = dfs_samba4, acl_xattr, full_audit
         tls crlfile = /etc/ssl/certs/crl.pem
         tls dh params file = /etc/ssl/certs/dhparam.pem

Now a user has an interesting issue, she can login on Windows without 
issues but when changing the password Windows complains the password is 
wrong.

In log.samba on the DC, I see this:

[2024/02/22 12:15:57.646475,  3] 
auth/auth_log.c:858(log_authentication_event_human_readable)
   Auth: [Kerberos KDC,ENC-TS Pre-authentication] user 
[(null)]\[user1 at EXAMPLE] at [Thu, 22 Feb 2024 12:15:57.646467 CET] with 
[aes256-cts-hmac-sha1-96] status [NT_STATUS_OK] workstation [(null)] 
remote host [ipv4:192.168.0.211:50757] became [EXAMPLE]\[user1] 
[S-1-5-21-1366037735-1163107043-795354949-1003]. local host [NULL]
[2024/02/22 12:15:57.646564,  3] 
source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
   Kerberos: heim_audit_vaddkv(): kv pair[0] elapsed=0.020364
[2024/02/22 12:15:57.646571,  3] 
source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
   Kerberos: AS-REQ SUCCESS ipv4:192.168.0.211:50757 user1 at EXAMPLE 
kadmin/changepw at EXAMPLE pa=ENC-TS etype=18/18 
canon_client_name=user1 at EXAMPLE.COM pac_attributes=1 pa-etype=18 
client-pa=ENC-TS,128 end=1708600677 auth=1708600557 
etypes=18,17,23,24,-135,3 renew=1709205357 pa-succeeded-kvno=19 
reqaddrs=TYPE_20:50433131312020202020202020202020 elapsed=0.020364 
flags=renewable-ok,canonicalize,renewable,forwardable
[2024/02/22 12:15:57.647409,  3] 
source4/samba/service_stream.c:67(stream_terminate_connection)
   stream_terminate_connection: Terminating connection - 
'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - 
NT_STATUS_CONNECTION_DISCONNECTED'
[2024/02/22 12:15:57.648670,  3] 
auth/kerberos/kerberos_pac.c:413(kerberos_decode_pac)
   Found account name from PAC: user1 [User One]
[2024/02/22 12:15:57.653002,  3] 
lib/ldb-samba/ldb_wrap.c:332(ldb_wrap_connect)
   ldb_wrap open of privilege.ldb
[2024/02/22 12:15:57.653253,  1] 
source4/kdc/kpasswd-service-heimdal.c:297(kpasswd_handle_request)
   kpasswd_handle_request: String conversion failed!
[2024/02/22 12:15:57.654054,  3] 
source4/samba/service_stream.c:67(stream_terminate_connection)
   stream_terminate_connection: Terminating connection - 
'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - 
NT_STATUS_CONNECTION_DISCONNECTED'

This is interesting: kpasswd_handle_request: String conversion failed!

It is the only clue in the server logging that something is not alright, 
as far as I can see.

The audit_auth.log does not report any issues:

   {"timestamp": "2024-02-22T12:15:33.140169+0100", "type": 
"Authentication", "Authentication": {"version": {"major": 1, "minor": 
3}, "eventId": 4624, "logonId": "19e950ca59b91207", "logonType": 3, "status"
: "NT_STATUS_OK", "localAddress": null, "remoteAddress": 
"ipv4:192.168.0.211:50753", "serviceDescription": "Kerberos KDC", 
"authDescription": "ENC-TS Pre-authentication", "clientDomain": null, 
"clientAccou
nt": "user1 at EXAMPLE", "workstation": null, "becameAccount": "user1", 
"becameDomain": "EXAMPLE", "becameSid": 
"S-1-5-21-1366037735-1163107043-795354949-1003", "mappedAccount": 
"user1", "mappedDo
main": "EXAMPLE", "netlogonComputer": null, "netlogonTrustAccount": 
null, "netlogonNegotiateFlags": "0x00000000", 
"netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, 
"passwordType": "aes256
-cts-hmac-sha1-96", "clientPolicyAccessCheck": null, 
"serverPolicyAccessCheck": null, "duration": 13086}}
   {"timestamp": "2024-02-22T12:15:33.150004+0100", "type": "KDC 
Authorization", "KDC Authorization": {"version": {"major": 1, "minor": 
0}, "status": "NT_STATUS_OK", "localAddress": null, "remoteAddress": "
ipv4:192.168.0.211:50754", "serviceDescription": 
"host/pc11.exmaple.com at EXAMPLE.COM", "authType": "TGS-REQ with 
Ticket-Granting Ticket", "domain": "EXAMPLE", "account": "user1", "sid": 
"S-1-5-2
1-1366037735-1163107043-795354949-1003", "logonServer": "DC01", 
"authTime": "2024-02-22T12:15:33.141814+0100", 
"serverPolicyAccessCheck": null}}
   {"timestamp": "2024-02-22T12:15:57.646491+0100", "type": 
"Authentication", "Authentication": {"version": {"major": 1, "minor": 
3}, "eventId": 4624, "logonId": "979e535fc7a6536d", "logonType": 3, "status"
: "NT_STATUS_OK", "localAddress": null, "remoteAddress": 
"ipv4:192.168.0.211:50757", "serviceDescription": "Kerberos KDC", 
"authDescription": "ENC-TS Pre-authentication", "clientDomain": null, 
"clientAccou
nt": "user1 at EXAMPLE", "workstation": null, "becameAccount": "user1", 
"becameDomain": "EXAMPLE", "becameSid": 
"S-1-5-21-1366037735-1163107043-795354949-1003", "mappedAccount": 
"user1", "mappedDo
main": "EXAMPLE", "netlogonComputer": null, "netlogonTrustAccount": 
null, "netlogonNegotiateFlags": "0x00000000", 
"netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, 
"passwordType": "aes256
-cts-hmac-sha1-96", "clientPolicyAccessCheck": null, 
"serverPolicyAccessCheck": null, "duration": 20296}}

Any ideas what is going wrong here?

- Kees.

More information about the samba mailing list