[Samba] user login passwords are mixed up

oeh univie edv lists edv-lists at oeh.univie.ac.at
Sun Feb 21 20:57:23 UTC 2016

Thank you! That was the hint I needed with 4.2 and ""Bad Password Lockout
in the AD DC". 

I did it via samba-tool this time and not via GPO with RSAT.

samba-tool domain passwordsettings set --history-length=0

samba-tool domain passwordsettings show
Password informations for domain 'DC=x,DC=x,DC=x'
Password complexity: on
Store plaintext passwords: off
Password history length: 0
Minimum password length: 7
Minimum password age (days): 1
Maximum password age (days): 42

systemctl restart samba-ad-dc.service

And the most important thing was to execute "GPUpdate.exe /force" in
command line on the windows computer where my RSAT runs with domain
administrator and restart the computer.

Now the behaviour is as one would expect. Previous old password doesn't
work any more. And when system requests you to change the password, you
can switch new password to the old password again. This would be a
security issue. 

Fine that it works but I will undo it and tell my users that this
"previous old password" login is no security problem but "mircosoft

What I still do not understand is that what I see with "samba-tool domain
passwordsettings show" is not the same as in GPO via RSAT. The changes I
made with "samba-tool domain passwordsettings show" are not replicated to
GPO via RSAT. Is it more stable to change GPO via RSAT or via samba-tool ?

thank you!

Rowland penny <rpenny at samba.org> schreibt:
>On 20/02/16 22:05, oeh univie edv lists wrote:
>> Hello,
>> In what samba version is parameter "old password allowed period" 
>> introduced?
>> This parameter seems be the remedy to my problem but I cannot find it
>> "testparm -v | grep password"
>> or in my
>> "man smb.conf"
>> Does it even exist in 4.1.17 (just the regular debian package)?
>I think it came in with the implementation of bad password lockout in 
>4.2.0, so I don't think you will have it on 4.1.17. Easiest way to get 
>it would be to upgrade to the Sernet 4.2.x packages, or wait until 
>Debian possibly backports 4.3.3 from sid.
>> In this document it says it is for samba version 4:
>> https://www.mankier.com/5/smb.conf
>> I found this where the parameter is introduced:
>> Is there an easy solution to use this paramter in 4.1.17?
>> I set "Enforce Password History" to value "0" in the GPO. Login with 
>> the previous old password is no longer possible BUT I cannot change 
>> the new password to any old passwords. That should be possible with no 
>> history, shouldn't it? I tried it several times. Somehow the password 
>> history still works regarding that. But why? I moved gencache.tdb in 
>> /var/cache/samba to oldgenchache.tdb but still the same behaviour... I 
>> restarted samba... Why does the password history still work? Where 
>> does Samba store the password history?
>Good question, not sure where it is stored, anybody know ?
>> This behaviour is perfect for what I want, but there is no logic in 
>> it. There must be some lack of understanding here...
>> And for what reasons should one want a 60 minutes permit on NTLM login 
>> after a password change anyway?
>Again I don't know, I suggest you take it up with microsoft, Samba is 
>just being compatible with windows here.
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list