[Samba] Password change question/1: smbpasswd does not propagate passwords?!

Rowland Penny rpenny at samba.org
Tue Oct 31 17:37:13 UTC 2017

On Tue, 31 Oct 2017 17:59:40 +0100
Marco Gaiarin via samba <samba at lists.samba.org> wrote:

> I reply to myself...
> > So, the question: how replica works?! I'm confused...
> To add ''strangeness'', i've done another password change, on DC1, and
> verified that password change time does not propagate to DC2.

Are you sure that it isn't propogating ?
Have you checked the attribute 'pwdLastSet' in the users object in AD
on all DCs ?

ldbsearch -H /usr/local/samba/private/sam.ldb -b
"DC=samdom,DC=example,DC=com" -s sub
"(&(objectClass=user)(sAMAccountName=username))" pwdLastSet | grep
'[p]wdLastSet' | awk '{print $NF}'

Run the above command on all DCs, it should produce a number and the
number should be the same on all DCs

/usr/local/samba/private/sam.ldb with the path to your sam.ldb
DC=samdom,DC=example,DC=com with your NC
username with a users name from your AD domain

You will also need ldb-tools installed.

> After that i've done a ssh logon on DC2 (with that user, of course)
> and i was able to use the new password, and password change time get
> ''syncronized''.
> After that, i'm now adding a bunch of users on DC2, and they not
> appear on DC1.

This is worrying, they should replicate to all DCs.

> It is normal? How can i debug this, or force a sync?

Definitely not normal, how are you creating users ?

Have a look at 'samba-tool ldapcmp --help' to check the AD databases.


More information about the samba mailing list