[Samba] user login passwords are mixed up

Rowland penny rpenny at samba.org
Sun Feb 21 21:15:49 UTC 2016


On 21/02/16 20:57, oeh univie edv lists wrote:
> Thank you! That was the hint I needed with 4.2 and ""Bad Password 
> Lockout in the AD DC".
>
> I did it via samba-tool this time and not via GPO with RSAT.
>
> samba-tool domain passwordsettings set --history-length=0
>
> samba-tool domain passwordsettings show
> Password informations for domain 'DC=x,DC=x,DC=x'
> Password complexity: on
> Store plaintext passwords: off
> Password history length: 0
> Minimum password length: 7
> Minimum password age (days): 1
> Maximum password age (days): 42
>
> systemctl restart samba-ad-dc.service
>
> And the most important thing was to execute "GPUpdate.exe /force" in 
> command line on the windows computer where my RSAT runs with domain 
> administrator and restart the computer.
>
> Now the behaviour is as one would expect. Previous old password 
> doesn't work any more. And when system requests you to change the 
> password, you can switch new password to the old password again. This 
> would be a security issue.
>
> Fine that it works but I will undo it and tell my users that this 
> "previous old password" login is no security problem but "mircosoft 
> feature"...
>
> What I still do not understand is that what I see with "samba-tool 
> domain passwordsettings show" is not the same as in GPO via RSAT. The 
> changes I made with "samba-tool domain passwordsettings show" are not 
> replicated to GPO via RSAT. Is it more stable to change GPO via RSAT 
> or via samba-tool ?
>
> thank you!
> birgit
>
>
> *Rowland penny <rpenny at samba.org> schreibt:*
> On 20/02/16 22:05, oeh univie edv lists wrote:
> > Hello,
> >
> > In what samba version is parameter "old password allowed period"
> > introduced?
> >
> > This parameter seems be the remedy to my problem but I cannot find it with
> > "testparm -v | grep password"
> > or in my
> > "man smb.conf"
> >
> > Does it even exist in 4.1.17 (just the regular debian package)?
>
> I think it came in with the implementation of bad password lockout in
> 4.2.0, so I don't think you will have it on 4.1.17. Easiest way to get
> it would be to upgrade to the Sernet 4.2.x packages, or wait until
> Debian possibly backports 4.3.3 from sid.
>
>
> >
> > In this document it says it is for samba version 4:
> >https://www.mankier.com/5/smb.conf
> >
> > I found this where the parameter is introduced:
> >https://jelmer.uk/klaus/samba/commit/9d5f4cabf3f491fd1c22dbc1daaad8a657d12914/
> >
> > Is there an easy solution to use this paramter in 4.1.17?
> >
> > I set "Enforce Password History" to value "0" in the GPO. Login with
> > the previous old password is no longer possible BUT I cannot change
> > the new password to any old passwords. That should be possible with no
> > history, shouldn't it? I tried it several times. Somehow the password
> > history still works regarding that. But why? I moved gencache.tdb in
> > /var/cache/samba to oldgenchache.tdb but still the same behaviour... I
> > restarted samba... Why does the password history still work? Where
> > does Samba store the password history?
>
> Good question, not sure where it is stored, anybody know ?
>
> >
> > This behaviour is perfect for what I want, but there is no logic in
> > it. There must be some lack of understanding here...
> >
> > And for what reasons should one want a 60 minutes permit on NTLM login
> > after a password change anyway?
>
> Again I don't know, I suggest you take it up with microsoft, Samba is
> just being compatible with windows here.
>
> Rowland
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
>

What you need to understand is that GPOs have no affect on a Samba4 AD 
DC, by my understanding, GPOs alter the registry and a Samba4 DC doesn't 
have a registry.

Rowland



More information about the samba mailing list