[Samba] Windows client does not recognize password change...

Felipe Augusto van de Wiel felipe at paranacidade.org.br
Tue Oct 10 15:37:42 GMT 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/04/2006 06:12 PM, Jason Shaw escreveu:
> Hello!

Hi Jason!


> SuSE Linux 10.0
> Samba 3.0.20b
> OpenLDAP backend
> IDEALX scripts v0.9.2
> Windows XP SP2 client
> 
> Everything seems to be working except when changing your password from
> the Windows client (CTRL-ALT-DEL and "Change password"). When I try to
> change the password I get the following error message.
> 
> "The User name or old password is incorrect. Letters in passwords must
> be typed using the correct case."

	I once had this error with Win2K SP4 and Samba 3.0.10, after
upgrading Samba to 3.0.14a the problem was solved (and it was caused
by a Security Fix from Microsoft).


> But the kicker is that the PDC *did* change both Linux and Windows
> passwords; the client machine is saying there's an error when the
> password was changed.
> 
> According to the log file for the machine, it looks like it may have
> failed because it couldn't find the "sambaPwdMustChange" attribute. But
> using a LDAP browser, I see that the "sambaPwdMustChange" is there.
> 
> Any suggestions on how to fix this or what the problem may be?


> Thank you!
> 
> Jason
> 
> 
> [2006/10/04 13:13:00, 5]
> passdb/secrets.c:secrets_fetch_trusted_domain_password(325)
>   secrets_fetch failed!
> [2006/10/04 13:13:11, 2] passdb/pdb_ldap.c:init_sam_from_ldap(499)
>   init_sam_from_ldap: Entry found for user: jason
> [2006/10/04 13:13:11, 7] passdb/login_cache.c:login_cache_read(83)
>   Looking up login cache for user jason
> [2006/10/04 13:13:11, 7] passdb/login_cache.c:login_cache_read(97)
>   No cache entry found
> [2006/10/04 13:13:11, 2] passdb/pdb_ldap.c:init_sam_from_ldap(499)
>   init_sam_from_ldap: Entry found for user: jason
> [2006/10/04 13:13:11, 7] passdb/login_cache.c:login_cache_read(83)
>   Looking up login cache for user jason
> [2006/10/04 13:13:11, 7] passdb/login_cache.c:login_cache_read(97)
>   No cache entry found
> [2006/10/04 13:13:12, 4] passdb/pdb_ldap.c:ldapsam_update_sam_account(1714)
>   ldapsam_update_sam_account: user jason to be modified has dn:
> uid=jason,ou=People,dc=amiwest,dc=com
> [2006/10/04 13:13:12, 2] passdb/pdb_ldap.c:init_ldap_from_sam(926)
>   init_ldap_from_sam: Setting entry for user: jason
> [2006/10/04 13:13:12, 1] passdb/pdb_ldap.c:ldapsam_modify_entry(1516)
>   ldapsam_modify_entry: Failed to modify user dn=
> uid=jason,ou=People,dc=amiwest,dc=com with: No such attribute
>         modify/delete: sambaPwdMustChange: no such value
> [2006/10/04 13:13:12, 0] passdb/pdb_ldap.c:ldapsam_update_sam_account(1741)
>   ldapsam_update_sam_account: failed to modify user with uid = jason,
> error: modify/delete: sambaPwdMustChange: no such value (Success)
> [2006/10/04 13:13:12, 2] passdb/pdb_ldap.c:init_sam_from_ldap(499)
>   init_sam_from_ldap: Entry found for user: jason
> [2006/10/04 13:13:12, 7] passdb/login_cache.c:login_cache_read(83)
>   Looking up login cache for user jason
> [2006/10/04 13:13:12, 7] passdb/login_cache.c:login_cache_read(97)
>   No cache entry found
> [2006/10/04 13:13:12, 0] libsmb/smbencrypt.c:decode_pw_buffer(540)
>   decode_pw_buffer: incorrect password length (190012133).
> [2006/10/04 13:13:12, 0] libsmb/smbencrypt.c:decode_pw_buffer(541)
>   decode_pw_buffer: check that 'encrypt passwords = yes'

	Are you using customized password restrictions, like
number of characters (min/max)?


> dn: uid=jason,ou=People,dc=amiwest,dc=com
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: shadowAccount
> objectClass: sambaSamAccount
> objectClass: sambaSamAccount

	Why do you have two sambaSamAccounts?


> sambaLogonTime: 0
> sambaLogoffTime: 2147483647
> sambaKickoffTime: 2147483647
> displayName: Jason Shaw
> sambaPasswordHistory:
> 00000000000000000000000000000000000000000000000000000000
>  00000000
> sambaPwdCanChange: 2

	That's strange... sambaPwdCanChange in my LDAP looks
like the sambaPwdLastSet and sambaPwdMustChange fields (it is
not the same values, but the same way).


> sambaAcctFlags: [UX]

	My sambaAcctFlags looks like this: "[U         ]"

	With blank spaces.


> sambaPwdLastSet: 1159992792
> sambaPwdMustChange: 1163880792
> modifiersName: cn=Manager,dc=amiwest,dc=com
> modifyTimestamp: 20061004201312Z
> (some stuff cut)
> 
> 
> /etc/openldap/slapd.conf:
> access to
> attr=userPassword,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaPwdMustChange
> 
>         by self write
>         by * auth

	There is also sambaPwdCanChange to be considered.


> /etc/samba/smb.conf:
> [global]
>         enable privileges = Yes
>         username map = /etc/samba/smbusers
>         unix password sync = Yes
>         passwd program = /opt/IDEALX/sbin/smbldap-passwd %u
>         passwd chat = *New*password* %n\n *Retype*new*password* %n\n
>         passwd chat debug = Yes
>         encrypt passwords = Yes
>         log level = 1 passdb:7
>         ldap passwd sync = Yes

	'testparm -v' is also ok?


	Kind regards,

- --
Felipe Augusto van de Wiel <felipe at paranacidade.org.br>
Coordenadoria de Tecnologia da Informação (CTI) - SEDU/PARANACIDADE
http://www.paranacidade.org.br/           Phone: (+55 41 3350 3300)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org

iD8DBQFFK75FCj65ZxU4gPQRAj7QAJ4rdRqNFP1Qs5LbkUiomNZGRO2rPwCgz8I/
HkbwqeSfXbQM3Xlh1DQgktI=
=Pkvh
-----END PGP SIGNATURE-----

More information about the samba mailing list