Jeff LePage Jeff.LePage at asg.com
Fri Aug 15 19:31:00 GMT 2008

I'm having the same problem with Ubuntu Hardy Heron.  

It seems that there is a bug (fixed in 3.0.31) that causes
NT_STATUS_PASSWORD_MUST_CHANGE error on machine account logon.

See http://us1.samba.org/samba/history/samba-3.0.31.html) 

I also found this:
> Beginning with Samba 3.0.2, passwords for
> accounts with a last change time (LCT-XXX in smbpasswd,
> attribute in ldapsam, etc...) of zero (0) will be regarded as
> strings.  This will cause authentication to fail for such accounts.
If you
> have valid passwords that meet this criteria, you must update the last
> time to a non-zero value.  If you do not, then  'pdbedit
> passwords' will disable these accounts and reset the password hashes
to a
> string of X's.

After joining the domain controller ('join rpc -S sambaserver -U
sambadmin') my machine accounts have last-change-time set to zero.  

I did this to fix it, but I don't know if it's really working; at least
one user is still reporting a problem.

My method:  
1) smbpasswd machinename$
...this sets the password and also the last-change-time to a non-zero
value, but also resets the machine account to a non-machine account.
2) rejoin the domain: join rpc -S sambaserver -U sambadmin

After this everything is as before, except that the pwd-last-change-time
is set to a non-zero value.

Since doing this it was also suggested that I try 'net rpc

Ubuntu hardy heron (running 3.0.28a) seems to suffer from at least 2 bad
1) the NT_STATUS_PASSWORD_MUST_CHANGE bug mentioned above
2) problems when running winbind on a samba PDC

I face a difficult choice now.  Do I rebuild my server from source, or
do I try a workaround?  This new PDC needs to be up and running by
Monday, and I have a lot of other chores to perform my Monday.

Anyone with suggestions?  Workarounds?

John Baker: please contact me.  Maybe we can help each other.

-----Original Message-----
From: samba-bounces+jeff.lepage=asg.com at lists.samba.org
[mailto:samba-bounces+jeff.lepage=asg.com at lists.samba.org] On Behalf Of
John Baker
Sent: Friday, August 15, 2008 12:45 PM
To: samba at lists.samba.org

Hi there,

I'm working on a new print server to replace one that's pretty long in 
the tooth.

I'm using standard packages from Ubuntu Hardy Heron which appears to be 
Samba 3.0.28a. We use LDAP for the authentication backend. I seem to 
have that configured properly as I get a ldap_connect_system: succesful 
connection to the LDAP server in the log but every login fails with:


I haven't found much searching other than this is something that 
appeared to happen with 3.0.28a.

We have no password policy and have not had this trouble with any 
previous version of Samba.

Is it a bug?
It there any fix for this or do I need to go back to dappper or compile 
a different version?

Thank you
John Baker
Network Systems Administrator
Marlboro College
Phone: 451-7551 off campus; 551 on campus
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list