[Samba] user login passwords are mixed up

Rowland penny rpenny at samba.org
Sun Feb 21 12:00:07 UTC 2016

On 20/02/16 22:05, oeh univie edv lists wrote:
> Hello,
> In what samba version is parameter "old password allowed period" 
> introduced?
> This parameter seems be the remedy to my problem but I cannot find it with
> "testparm -v | grep password"
> or in my
> "man smb.conf"
> Does it even exist in 4.1.17 (just the regular debian package)?

I think it came in with the implementation of bad password lockout in 
4.2.0, so I don't think you will have it on 4.1.17. Easiest way to get 
it would be to upgrade to the Sernet 4.2.x packages, or wait until 
Debian possibly backports 4.3.3 from sid.

> In this document it says it is for samba version 4:
> https://www.mankier.com/5/smb.conf
> I found this where the parameter is introduced:
> https://jelmer.uk/klaus/samba/commit/9d5f4cabf3f491fd1c22dbc1daaad8a657d12914/
> Is there an easy solution to use this paramter in 4.1.17?
> I set "Enforce Password History" to value "0" in the GPO. Login with 
> the previous old password is no longer possible BUT I cannot change 
> the new password to any old passwords. That should be possible with no 
> history, shouldn't it? I tried it several times. Somehow the password 
> history still works regarding that. But why? I moved gencache.tdb in 
> /var/cache/samba to oldgenchache.tdb but still the same behaviour... I 
> restarted samba... Why does the password history still work? Where 
> does Samba store the password history?

Good question, not sure where it is stored, anybody know ?

> This behaviour is perfect for what I want, but there is no logic in 
> it. There must be some lack of understanding here...
> And for what reasons should one want a 60 minutes permit on NTLM login 
> after a password change anyway?

Again I don't know, I suggest you take it up with microsoft, Samba is 
just being compatible with windows here.


More information about the samba mailing list