[Samba] Strange NT_STATUS_PASSWORD errors after upgrade to 3.0.26a

Duncan Brannen dbb at st-andrews.ac.uk
Thu Nov 15 16:39:51 GMT 2007 


Hi,
       I just upgraded one of our samba BDC's (with LDAP back end on 
solaris 10) from 3.0.23c to
3.0.26a and can no longer mount shares.

The error message I'm seeing in the samba logs is 

[2007/11/15 14:15:26, 1] auth/auth_sam.c:sam_account_ok(172)
  sam_account_ok: Account for user 'dbb' password must change!.
[2007/11/15 14:15:26, 3] auth/auth_winbind.c:check_winbind_security(80)
  check_winbind_security: Not using winbind, requested domain 
[CLASSROOM] was for this SAM.
[2007/11/15 14:15:26, 2] auth/auth.c:check_ntlm_password(319)
  check_ntlm_password:  Authentication for user [dbb] -> [dbb] FAILED 
with error NT_STATUS_PASSWORD_MUST_CHANGE
[2007/11/15 14:15:26, 3] smbd/error.c:error_packet_set(106)
  error packet at smbd/sesssetup.c(1489) cmd=115 (SMBsesssetupX) 
NT_STATUS_PASSWORD_MUST_CHANGE


I tried reinstalling 3.0.23c and now get


  init_sam_from_ldap: Entry found for user: dbb
[2007/11/15 16:28:13, 1] auth/auth_sam.c:sam_account_ok(178)
  sam_account_ok: Account for user 'dbb' password expired!.
[2007/11/15 16:28:13, 1] auth/auth_sam.c:sam_account_ok(179)
  sam_account_ok: Password expired at 'Mon, 16 Feb 1970 08:06:40 BST' 
(4000000) unix time.
[2007/11/15 16:28:13, 3] auth/auth_winbind.c:check_winbind_security(80)
  check_winbind_security: Not using winbind, requested domain 
[CLASSROOM] was for this SAM.
[2007/11/15 16:28:13, 2] auth/auth.c:check_ntlm_password(319)
  check_ntlm_password:  Authentication for user [dbb] -> [dbb] FAILED 
with error NT_STATUS_PASSWORD_EXPIRED


Any thoughts?  It worked fine earlier.  I've tried deleting all the 
var/locks tdb files and the private/*.tdb files, resetting the SID and 
smbpassword
but it doesn't seem to help.  Reasoning for this is there seemed to be a 
new Account Policy entry appear in the gencache.tdb file to do with
password age after the upgrade.

There isn't anything set in the samba attributes of the ldap accounts to 
do with password expiry so it's all default.

Cheers,
             Duncan

More information about the samba mailing list