[Samba] smbpasswd command fails

Gaiseric Vandal gaiseric.vandal at gmail.com
Mon Oct 3 22:40:07 UTC 2016


I have samba 3.6.x domain controller (not patched for BADLOCK 
yet.)       From a linux machine (Fedora Core 23) , smbpasswd fails to 
change a password.


        [someuser at linux1 /]$ smbpasswd -r pdc
        Old SMB password:
        New SMB password:
        Retype new SMB password:
        smb_signing_good: BAD SIG: seq 1
        Could not connect to machine pdc: NT_STATUS_ACCESS_DENIED
        [someuser at linux1 /]$



FC23 machines have samba  4.3.11   client components installed.


If I ssh to the domain controller, I can change my password


        [someuser at pdc]$ smbpasswd
        Old SMB password:
        New SMB password:
        Retype new SMB password:
        Connecting to 127.0.0.1 at port 445
        Doing spnego session setup (blob length=58)
        got OID=1.3.6.1.4.1.311.2.2.10
        got principal=NONE
        Got challenge flags:
        Got NTLMSSP neg_flags=0x60898215
        NTLMSSP: Set final flags:
        Got NTLMSSP neg_flags=0x60088215
        NTLMSSP Sign/Seal - Initialising with flags:
        Got NTLMSSP neg_flags=0x60088215
        Got challenge flags:
        Got NTLMSSP neg_flags=0x60898235
        NTLMSSP: Set final flags:
        Got NTLMSSP neg_flags=0x60088235
        NTLMSSP Sign/Seal - Initialising with flags:
        Got NTLMSSP neg_flags=0x60088235
        Password changed for user someuser
        [someuser at pdc]


I am assuming this is because the client side has the lastest BADLOCK 
patches.         However I only noticed this when users started 
complaining that they could no longer changes passwords from windows 
PC's (due to a recent MS patch.)     smbpasswd from a linux or solaris 
machine was the alternative.


I have not yet  tried tweaking the client smb.conf or downgrading to a 
pre-patched version.       Linux-based samba 4 member servers  that have 
been upgraded would fail to allow domain users, so those did require a 
roll back to a pre-badlock version. Samba 3.x server with badlock patch 
still seem compatible with pre-patched DC's.



Thanks











More information about the samba mailing list