[Samba] passdb.tdb not updated when changing passwords

Gianluca Cecchi gianluca.cecchi at gmail.com
Thu Aug 17 14:02:20 GMT 2006

thanks Simo
> > Questions:
> > 1) it seems passdb.tdb is read but not written based on its timestamp
> > Shouldn't it be modified with the new encrypted password? the same
> > happens if for example I change full name of a user...
> > Where are otherwise written these informations
> some kernels have a bug that will prevent them from correctly updating
> the mtime when mmpped files are changed and tdb usually is mmapped.
I have not completely understood your answer and I will investigate,
but see this:
date on samba and on wxp workstation is "gio ago 17 15:38:47 CEST 2006"
pdbedit -Lv user returns:
Password last set:    lun, 14 ago 2006 16:35:50 GMT
Password can change:  lun, 14 ago 2006 16:35:50 GMT
Password must change: ven, 13 dic 1901 21:45:51 GMT

ll passdb.tdb gives:
-rw-------    1 root     root        49152 17 ago 14:52 passdb.tdb

Now, from the workstation where user is connected with his login he
does Ctr+Alt+Canc and chooses "change password" and correctly gets
"password has been changed"

pdbedit -Lv user now returns:
Password last set:    gio, 17 ago 2006 15:40:59 GMT
Password can change:  ven, 18 ago 2006 15:40:59 GMT
Password must change: lun, 16 ott 2006 15:40:59 GMT

so the fields are updated correctly as domain policy for max pwd age
is  set to 60 days  and min pwd age is 1 day.
ll passdb.tdb now gives:
-rw-------    1 root     root        57344 17 ago 15:40 passdb.tdb

so from commands run by client is ok.
Instead, if I do a pdbedit command from the server, the passdb.tdb is
not modified.
Example the user has empty full name field
I can set it from the samba server with pdbedit (at 15:48):
pdbedit -u user -f "Full User Name"
and infact
pdbedit -Lv user now gives:
Full Name:            Full User Name

but passdb.tdb remains updated at 15.40.
Where does pdbedit read in this case?

> > 2) in the example above, the user cannot change today his password.
> > What can I do to reset this for the user?
> change the pass can change value, and set it to a time before the
> present.
the problem is that the domain policy about 1 day as min pass age is
applied when password has been changed it seems I cannot change this
after done..

> > 3) It seems that no --pwd-must-change-time option is working in my environment.
> > Was this a late introducted feature?
> 3.0.9 is quite old, I would update anyway, later versions have more
> options.
see below

> > PS: please tell me if any question regarding customized version of
> > samba, such as RH, is automatically ignored by the gurus... this would
> > be in some way acceptable but knowing it would at least save time for
> > me.
> It's not, but 3.0.9 is way too old, we recommend running the latest
> samba versions for all the bugfixes and windows compatibility fixes we
> introduce at each release.

the problems is that, basically for package mainteneance and
interdependency reasons IIRC, when rh starts a new release, such as RH
EL3, it begins a base release for a package, so that at the beginning
samba on RH EL 3 was based on 3.0.9. Then when updates comes, all the
new updated packages are named incrementally but with the same base.
Now with RH EL 3 update 7 they are at samba-3.0.9-1.3E.7 but actually
it has many features come after 3.0.9 release and it is difficult to
trace it down. You can see the changelog for a package with the
rpm -q --changelog package
for example with samba you get many lines. Some of them:

* mar nov 29 2005 Jay Fenlason <fenlason at redhat.com> 0:3.0.9-1.3E.7

- Remove the -plaintext patch, since it didn't make the CANFIX list for
* lun dic 13 2004 Jay Fenlason <fenlason at redhat.com> 3.0.9-1.3E.1

- Add patches from Jerry Carter <jerry at samba.org> to close CAN-2004-1154
- Add post-3.0.9 printing patch from Jerry Carter <jerry at samba.org>
- Modify the -printing patch to work with the CAN-2004-1154 patch.
- Disable the non-ascii domain patch because it conflicts with the
  CAN-2004-1154 patch
- Add %dir /var/run/winbindd to this spec file.

More information about the samba mailing list