[Samba] logins fine, then not: NT_STATUS_WRONG_PASSWORD

jmailand at lane.k12.or.us jmailand at lane.k12.or.us
Wed Feb 1 19:35:38 GMT 2006


I've had samba in production for a few weeks, as follows:

samba 3.0.20b
openldap 2.2.13-4, idealx tools 0.9.1
red hat AS 4
clients: all XP sp2

Samba's the PDC, nothing fancy about the setup other than trying to use LDAP for
authentication.

So far everything's been mostly fine, then yesterday for some reason a number of my
users couldn't authenticate after logging out or rebooting, they'd see an XP error
suggesting they "check username and password".  At the time, LDAP was up and
responding to queries.

Looking through the samba logs, when the logins fail I see:

[2006/02/01 10:03:29, 5] lib/smbldap.c:smbldap_search_ext(980)
  smbldap_search_ext: base => [dc=lart,dc=com], filter =>
[(&(uid=someuser)(objectclass=sambaSamAccount))], scope => [2]
[2006/02/01 10:03:29, 2] passdb/pdb_ldap.c:init_sam_from_ldap(499)
  init_sam_from_ldap: Entry found for user: someuser
[2006/02/01 10:03:29, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
  pop_sec_ctx (99, 99) - sec_ctx_stack_ndx = 0
[2006/02/01 10:03:29, 3] libsmb/ntlm_check.c:ntlm_password_check(207)
  ntlm_password_check: Interactive logon: NT password check failed for user someuser

then later on:

check_ntlm_password: sam authentication for user [someuser] FAILED with error
NT_STATUS_WRONG_PASSWORD

I can go run, as root, "/usr/sbin/smbldap-passwd someuser", have them enter in the
password they normally use, then they can go login fine.

Because it happened to nearly all my users at the same day I suspected the
sambaPwdMustChange attribute, but it's set pretty far out: 1454167813, nor did
anyone see a warning about needing to change their password.  Also, running pdbedit
shows:

Password must change: Sat, 30 Jan 2016 07:30:13 GMT

I did add all these folks on the same day weeks ago, and also had most of their XP
boxes joined to our domain on the same day, so I suspect some default setting
somewhere triggered this.

We don't manage policies on the XP workstations (nor do roaming profiles or any of
that), pretty much a generic XP pro workstation install.

Thanks for any suggestions on the origin of this problem, I don't want it to happen
again in two weeks :-)

Global config info from smb.conf, if useful:

[global]
        workgroup = LART
        passdb backend = ldapsam:ldap://ldap.lart.com
        enable privileges = Yes
        username map = /etc/samba/smbusers
        log level = 5 passdb:5 auth:5 winbind:2
        log file = /var/log/samba/%m.log
        unix extensions = No
        socket options = IPTOS_LOWDELAY TCP_NODELAY SO_KEEPALIVE SO_RCVBUF=8192
SO_SNDBUF=8192
        printcap cache time = 600
        printcap name = /etc/printcap
        add user script = /usr/sbin/smbldap-useradd -m "%u"
        delete user script = /usr/sbin/smbldap-userdel "%u"
        add group script = /usr/sbin/smbldap-groupadd -p "%g"
        delete group script = /usr/sbin/smbldap-groupdel "%g"
        add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
        delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
        set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
        add machine script = /usr/sbin/smbldap-useradd -w "%u"
        logon script = logon.bat
        logon path =
        logon drive = H:
        logon home = \\%L\%U
        domain logons = Yes
        os level = 64
        preferred master = Yes
        domain master = Yes
        dns proxy = No
        wins support = Yes
        ldap admin dn = cn=Manager,dc=lart,dc=com
        ldap group suffix = ou=Groups
        ldap idmap suffix = ou=Idmap
        ldap machine suffix = ou=People
        ldap suffix = dc=lart,dc=com
        ldap user suffix = ou=People
        idmap backend = ldap:ldap://ldap.lart.com
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        map acl inherit = Yes
        cups options = raw,media=letter






-- 
Joe Mailander
jmailand at lane.k12.or.us








More information about the samba mailing list