[Samba] How to change Domain password as normal user?

Mark Foley mfoley at ohprs.org
Fri May 4 17:24:36 UTC 2018


On Mon, 16 Apr 2018 19:46:35 +0100 Rowland Penny <rpenny at samba.org> wrote:
>
> On Mon, 16 Apr 2018 14:12:02 -0400
> Mark Foley via samba <samba at lists.samba.org> wrote:
>
> > Still having daily problems. Yesterday, again, I reset the user
> > password from the AD/DC as the domain administrator: samba-tool user
> > setpassword mark
> > 
> > Today, I was unable to log in. The only message in the log.samba file
> > is:
> > 
> > [2018/04/16 14:02:12.199145,
> > 2] ../source4/auth/ntlm/auth.c:430(auth_check_password_recv)
> > auth_check_password_recv: sam_ignoredomain authentication for user
> > [HPRS\mark] FAILED with error NT_STATUS_ACCOUNT_LOCKED_OUT
> > 
> > There are no preceeding messages with invalid passwords, etc. If I
> > reset the password as domain administrator I get locked out sometime
> > a day later. This is consistently repeatable.
> > 
> > How do I fix this? This is an urgent problem.
> > 
> > If this list is not the right place for this question, please advise.
> > 
>
> The problem is that the locking out probably has nothing to do
> with the password change, other than the password has been changed.
>
> See here for what to check for:
>
> https://www.lepide.com/blog/what-are-the-common-root-causes-of-account-lockouts-and-do-i-resolve-them/
>
> The other problem is, you really need Samba 4.7.0 onwards to get the
> authentication attempts in the logs, so it looks like you need to
> upgrade, but do not upgrade to 4.8.0
>
> There is probably something trying to auth with a stale password, but
> with your Samba version it will be hard to discover what.
>
> Rowland

I think I've found the culprit.

I have a Windows 7 SQL Server host.  Unfortunately, I was in the habit of logging onto that
machine as the Domain Administrator, which included mapping Samba shares as that user.  When I
changed the Samba server to be a domain member I was no longer able to map shares from this SQL
Server as the Domain Administrator (because the domain administrator is not a member of Domain
Users.  I posted a thread on this in this list: "Domain Administrator cannot map Samba Share
from Windows 7"). So, even though logged in as the Domain Administrator I started mapping the
Samba shares with another domain user's credentials. That worked.

However, I believe when I change the password for that domain user, the Samba mapping on the
SQL Server host does not use the new credentials.  I noticed that I was able to use the new
credentials for a week or more at a time as long as I didn't log onto the SQL Server host as
the Domain Administrator.  But, shortly after logging into the SQL Server host as the Domain
Administrator I got the locked out message.  My guess is that the SQL Server host repeatedly
attempted to reconnect the mapped drive using the now expired credentials until the max number
of failed attempts was exceeded.  Just a guess as there are no log messages about this on the
AD/DC or the Samba share host. 

You (Roland) mention, "you really need Samba 4.7.0 onwards to get the authentication attempts
in the logs".  I do currently get actual login attempt failures in the samba log, but
apparently not share mapping attempts.  I'll likely stick with 4.4.16 as that is the current
release for my distro, but I do look forward to more logging in a future upgrade. 

Meanwhile, I've unmapped all the mapped drives from the SQL Server Administrator account and
have taken to logging on to that host as a domain user, not as the Domain Administrator.

So far, no lock-out issues even though I've logged into that host numerous times. I still need
to test after changing the user PW once again, but I'm giving these current credentials a
couple of weeks to be sure of this phase.

--Mark



More information about the samba mailing list