[Samba] Changing user account passwords using smbpasswd after password expiration

Ricky Nance ricky.nance at gmail.com
Fri Oct 24 21:36:28 MDT 2014


Hi Yudai,

On Oct 24, 2014 12:51 AM, "Yudai Yamagishi" <yummy at sfc.wide.ad.jp> wrote:
>
> Hello,
>
> I’m currently having a problem where a non-root user can’t change his/her
own
> password using smbpasswd command after the password expiration and would
> like to know how I could solve this problem.

I think this is expected behavior for all systems, I know for sure this is
how a windows domain acts. Once the password is expired, the user shouldn't
be able to access the system (to reset or otherwise).

>
> Currently, I have a samba server running on CentOS 6.5 with its passdb
backend
> configured to another LDAP server. The samba version I’m currently using
is
> samba-3.6.9-169 which should be the latest version provided by yum on
CentOS 6.
> The setup is working perfectly as it should except for the one issue I
mentioned above,
> which is, an user with expired password cannot change its own password
using
> smbpasswd command.
>
> I currently have the following samba-related entries in each user in my
LDAP database:
> sambaLogonTime: 0
> sambaLogoffTime: 2147483647
> sambaKickoffTime: 2147483647
> sambaPwdCanChange: 0
> sambaPwdMustChange: 2147483647
> sambaPwdLastSet: 1406347540
>
> Also, I have sambaDomainName=WORKGROUP with entries like the following:
> sambaMinPwdAge: 0
> sambaPwdHistoryLength: 0
> sambaMinPwdLength: 6
> sambaLogonToChgPwd: 2
> sambaLockoutDuration: 1
> sambaMaxPwdAge: 7776000
> sambaLockoutObservationWindow: 1
> sambaLockoutThreshold: 5
>
> With these settings pdbedit shows the following output:
> # pdbedit -u USERNAME -v
> Unix username:        USERNAME
> NT username:          USERNAME
> Account Flags:        [U          ]
> User SID:             **DELETED**
> Primary Group SID:    **DELETED**
> Full Name:            USERNAME
> Home Directory:
> HomeDir Drive:        H:
> Logon Script:         logon.bat
> Profile Path:
> Domain:               WORKGROUP
> Account desc:
> Workstations:
> Munged dial:
> Logon time:           0
> Logoff time:          Tue, 19 Jan 2038 12:14:07 JST
> Kickoff time:         Tue, 19 Jan 2038 12:14:07 JST
> Password last set:    Sat, 26 Jul 2014 13:05:40 JST
> Password can change:  Sat, 26 Jul 2014 13:05:40 JST
> Password must change: Fri, 24 Oct 2014 13:05:40 JST
> Last bad password   : 0
> Bad password count  : 0
> Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>
> # pdbedit -P "maximum password age" -v
> account policy "maximum password age" description: Maximum password age,
in seconds (default: -1 => never expire passwords)
> account policy "maximum password age" value is: 7776000
>
> # pdbedit -P "minimum password age" -v
> account policy "minimum password age" description: Minimal password age,
in seconds (default: 0 => allow immediate password change)
> account policy "minimum password age" value is: 0
>
> # pdbedit -P "user must logon to change password" -v
> account policy "user must logon to change password" description: Force
Users to logon for password change (default: 0 => off, 2 => on)
> account policy "user must logon to change password" value is: 2
>
> # pdbedit -P "refuse machine password change" -v
> account policy "refuse machine password change" description: Allow
Machine Password changes (default: 0 => off)
> account policy "refuse machine password change" value is: 0
>
> When I run smbpasswd (smbpasswd -U USERNAME) from a non-root user, it
dies with:
> SPNEGO login failed: Password expired (shown when -D 10)
> cli_init_creds: user  domain (shown when -D 10)
> Failed to change password!
>
> I can’t paste all the server logs here but the following log seem to be
related (log level 50):
> [2014/10/24 14:34:08.679682,  5] auth/check_samsec.c:165(logon_hours_ok)
>  logon_hours_ok: user USERNAME allowed to logon at this time (Fri Oct 24
05:34:08 2014
>  )
> [2014/10/24 14:34:08.679736,  4] smbd/sec_ctx.c:214(push_sec_ctx)
>  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> [2014/10/24 14:34:08.679773,  4] smbd/uid.c:460(push_conn_ctx)
>  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> [2014/10/24 14:34:08.679809,  4] smbd/sec_ctx.c:314(set_sec_ctx)
>  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> [2014/10/24 14:34:08.679845,  5]
../libcli/security/security_token.c:53(security_token_debug)
>  Security token: (NULL)
> [2014/10/24 14:34:08.679881,  5]
auth/token_util.c:527(debug_unix_user_token)
>  UNIX token of user 0
>  Primary group is 0 and contains 0 supplementary groups
> [2014/10/24 14:34:08.679942, 11]
passdb/pdb_ldap.c:4040(ldapsam_get_account_policy)
>  ldapsam_get_account_policy: got valid value from cache
> [2014/10/24 14:34:08.679982,  4] smbd/sec_ctx.c:422(pop_sec_ctx)
>  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2014/10/24 14:34:08.680020,  1] auth/check_samsec.c:224(sam_account_ok)
>  sam_account_ok: Account for user 'USERNAME' password expired!
> [2014/10/24 14:34:08.680062,  1] auth/check_samsec.c:225(sam_account_ok)
>  sam_account_ok: Password expired at 'Fri, 24 Oct 2014 13:05:40 JST'
(1414123540) unix time.
> [2014/10/24 14:34:08.680108,  5] auth/auth.c:271(check_ntlm_password)
>  check_ntlm_password: sam authentication for user [USERNAME] FAILED with
error NT_STATUS_PASSWORD_EXPIRED
> [2014/10/24 14:34:08.680152, 10]
auth/auth_winbind.c:50(check_winbind_security)
>  Check auth for: [USERNAME]
> [2014/10/24 14:34:08.680188,  3]
auth/auth_winbind.c:60(check_winbind_security)
>  check_winbind_security: Not using winbind, requested domain [WORKGROUP]
was for this SAM.
> [2014/10/24 14:34:08.680223, 10] auth/auth.c:259(check_ntlm_password)
>  check_ntlm_password: winbind had nothing to say
> [2014/10/24 14:34:08.680260,  2] auth/auth.c:319(check_ntlm_password)
>  check_ntlm_password:  Authentication for user [USERNAME] -> [USERNAME]
FAILED with error NT_STATUS_PASSWORD_EXPIRED
> [2014/10/24 14:34:08.680306,  3] smbd/error.c:81(error_packet_set)
>  error packet at smbd/sesssetup.c(124) cmd=115 (SMBsesssetupX)
NT_STATUS_PASSWORD_EXPIRED
>
>
> The issue I’m having sounds like the bug mentioned in the bug report
below:
> https://bugzilla.samba.org/show_bug.cgi?id=4085
> However, since I am running a version which should have the patch applied,
> I don’t think this bug applies to my case.
>
> So, can anyone shed some light on what’s going on here?
>
> Best Regards,
> Yudai Yamagishi
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

Hope that helps,
Ricky


More information about the samba mailing list