[Samba] FAILED with error NT_STATUS_PASSWORD_MUST_CHANGE
Jeff LePage
Jeff.LePage at asg.com
Fri Aug 15 19:33:23 GMT 2008
I should point out that after resetting the password and re-joining all
the clients to the PDC, I no longer get those
NT_STATUS_PASSWORD_MUST_CHANGE errors.
-----Original Message-----
From: samba-bounces+jeff.lepage=asg.com at lists.samba.org
[mailto:samba-bounces+jeff.lepage=asg.com at lists.samba.org] On Behalf Of
Jeff LePage
Sent: Friday, August 15, 2008 1:31 PM
To: John Baker; samba at lists.samba.org
Subject: RE: [Samba] FAILED with error NT_STATUS_PASSWORD_MUST_CHANGE
I'm having the same problem with Ubuntu Hardy Heron.
It seems that there is a bug (fixed in 3.0.31) that causes
NT_STATUS_PASSWORD_MUST_CHANGE error on machine account logon.
See http://us1.samba.org/samba/history/samba-3.0.31.html)
I also found this:
> Beginning with Samba 3.0.2, passwords for
> accounts with a last change time (LCT-XXX in smbpasswd,
sambaPwdLastSet
> attribute in ldapsam, etc...) of zero (0) will be regarded as
uninitialized
> strings. This will cause authentication to fail for such accounts.
If you
> have valid passwords that meet this criteria, you must update the last
change
> time to a non-zero value. If you do not, then 'pdbedit
--force-initialized-
> passwords' will disable these accounts and reset the password hashes
to a
> string of X's.
After joining the domain controller ('join rpc -S sambaserver -U
sambadmin') my machine accounts have last-change-time set to zero.
I did this to fix it, but I don't know if it's really working; at least
one user is still reporting a problem.
My method:
1) smbpasswd machinename$
...this sets the password and also the last-change-time to a non-zero
value, but also resets the machine account to a non-machine account.
2) rejoin the domain: join rpc -S sambaserver -U sambadmin
After this everything is as before, except that the pwd-last-change-time
is set to a non-zero value.
Since doing this it was also suggested that I try 'net rpc
changetrustpw'
Ubuntu hardy heron (running 3.0.28a) seems to suffer from at least 2 bad
bugs:
1) the NT_STATUS_PASSWORD_MUST_CHANGE bug mentioned above
2) problems when running winbind on a samba PDC
I face a difficult choice now. Do I rebuild my server from source, or
do I try a workaround? This new PDC needs to be up and running by
Monday, and I have a lot of other chores to perform my Monday.
Anyone with suggestions? Workarounds?
John Baker: please contact me. Maybe we can help each other.
-----Original Message-----
From: samba-bounces+jeff.lepage=asg.com at lists.samba.org
[mailto:samba-bounces+jeff.lepage=asg.com at lists.samba.org] On Behalf Of
John Baker
Sent: Friday, August 15, 2008 12:45 PM
To: samba at lists.samba.org
Subject: [Samba] FAILED with error NT_STATUS_PASSWORD_MUST_CHANGE
Hi there,
I'm working on a new print server to replace one that's pretty long in
the tooth.
I'm using standard packages from Ubuntu Hardy Heron which appears to be
Samba 3.0.28a. We use LDAP for the authentication backend. I seem to
have that configured properly as I get a ldap_connect_system: succesful
connection to the LDAP server in the log but every login fails with:
FAILED with error NT_STATUS_PASSWORD_MUST_CHANGE
I haven't found much searching other than this is something that
appeared to happen with 3.0.28a.
We have no password policy and have not had this trouble with any
previous version of Samba.
Is it a bug?
It there any fix for this or do I need to go back to dappper or compile
a different version?
Thank you
--
John Baker
Network Systems Administrator
Marlboro College
Phone: 451-7551 off campus; 551 on campus
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
More information about the samba
mailing list