[Samba] user login passwords are mixed up
rpenny at samba.org
Sun Feb 21 21:15:49 UTC 2016
On 21/02/16 20:57, oeh univie edv lists wrote:
> Thank you! That was the hint I needed with 4.2 and ""Bad Password
> Lockout in the AD DC".
> I did it via samba-tool this time and not via GPO with RSAT.
> samba-tool domain passwordsettings set --history-length=0
> samba-tool domain passwordsettings show
> Password informations for domain 'DC=x,DC=x,DC=x'
> Password complexity: on
> Store plaintext passwords: off
> Password history length: 0
> Minimum password length: 7
> Minimum password age (days): 1
> Maximum password age (days): 42
> systemctl restart samba-ad-dc.service
> And the most important thing was to execute "GPUpdate.exe /force" in
> command line on the windows computer where my RSAT runs with domain
> administrator and restart the computer.
> Now the behaviour is as one would expect. Previous old password
> doesn't work any more. And when system requests you to change the
> password, you can switch new password to the old password again. This
> would be a security issue.
> Fine that it works but I will undo it and tell my users that this
> "previous old password" login is no security problem but "mircosoft
> What I still do not understand is that what I see with "samba-tool
> domain passwordsettings show" is not the same as in GPO via RSAT. The
> changes I made with "samba-tool domain passwordsettings show" are not
> replicated to GPO via RSAT. Is it more stable to change GPO via RSAT
> or via samba-tool ?
> thank you!
> *Rowland penny <rpenny at samba.org> schreibt:*
> On 20/02/16 22:05, oeh univie edv lists wrote:
> > Hello,
> > In what samba version is parameter "old password allowed period"
> > introduced?
> > This parameter seems be the remedy to my problem but I cannot find it with
> > "testparm -v | grep password"
> > or in my
> > "man smb.conf"
> > Does it even exist in 4.1.17 (just the regular debian package)?
> I think it came in with the implementation of bad password lockout in
> 4.2.0, so I don't think you will have it on 4.1.17. Easiest way to get
> it would be to upgrade to the Sernet 4.2.x packages, or wait until
> Debian possibly backports 4.3.3 from sid.
> > In this document it says it is for samba version 4:
> > I found this where the parameter is introduced:
> > Is there an easy solution to use this paramter in 4.1.17?
> > I set "Enforce Password History" to value "0" in the GPO. Login with
> > the previous old password is no longer possible BUT I cannot change
> > the new password to any old passwords. That should be possible with no
> > history, shouldn't it? I tried it several times. Somehow the password
> > history still works regarding that. But why? I moved gencache.tdb in
> > /var/cache/samba to oldgenchache.tdb but still the same behaviour... I
> > restarted samba... Why does the password history still work? Where
> > does Samba store the password history?
> Good question, not sure where it is stored, anybody know ?
> > This behaviour is perfect for what I want, but there is no logic in
> > it. There must be some lack of understanding here...
> > And for what reasons should one want a 60 minutes permit on NTLM login
> > after a password change anyway?
> Again I don't know, I suggest you take it up with microsoft, Samba is
> just being compatible with windows here.
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
What you need to understand is that GPOs have no affect on a Samba4 AD
DC, by my understanding, GPOs alter the registry and a Samba4 DC doesn't
have a registry.
More information about the samba