[Samba] How to change Domain password as normal user?

Rowland Penny rpenny at samba.org
Fri May 4 17:56:24 UTC 2018 

On Fri, 04 May 2018 13:24:36 -0400
Mark Foley via samba <samba at lists.samba.org> wrote:

> On Mon, 16 Apr 2018 19:46:35 +0100 Rowland Penny <rpenny at samba.org>
> wrote:
> >
> > On Mon, 16 Apr 2018 14:12:02 -0400
> > Mark Foley via samba <samba at lists.samba.org> wrote:
> >
> > > Still having daily problems. Yesterday, again, I reset the user
> > > password from the AD/DC as the domain administrator: samba-tool
> > > user setpassword mark
> > > 
> > > Today, I was unable to log in. The only message in the log.samba
> > > file is:
> > > 
> > > [2018/04/16 14:02:12.199145,
> > > 2] ../source4/auth/ntlm/auth.c:430(auth_check_password_recv)
> > > auth_check_password_recv: sam_ignoredomain authentication for user
> > > [HPRS\mark] FAILED with error NT_STATUS_ACCOUNT_LOCKED_OUT
> > > 
> > > There are no preceeding messages with invalid passwords, etc. If I
> > > reset the password as domain administrator I get locked out
> > > sometime a day later. This is consistently repeatable.
> > > 
> > > How do I fix this? This is an urgent problem.
> > > 
> > > If this list is not the right place for this question, please
> > > advise.
> > > 
> >
> > The problem is that the locking out probably has nothing to do
> > with the password change, other than the password has been changed.
> >
> > See here for what to check for:
> >
> > https://www.lepide.com/blog/what-are-the-common-root-causes-of-account-lockouts-and-do-i-resolve-them/
> >
> > The other problem is, you really need Samba 4.7.0 onwards to get the
> > authentication attempts in the logs, so it looks like you need to
> > upgrade, but do not upgrade to 4.8.0
> >
> > There is probably something trying to auth with a stale password,
> > but with your Samba version it will be hard to discover what.
> >
> > Rowland
> 
> I think I've found the culprit.
> 
> I have a Windows 7 SQL Server host.  Unfortunately, I was in the
> habit of logging onto that machine as the Domain Administrator, which
> included mapping Samba shares as that user.  When I changed the Samba
> server to be a domain member I was no longer able to map shares from
> this SQL Server as the Domain Administrator (because the domain
> administrator is not a member of Domain Users.  I posted a thread on
> this in this list: "Domain Administrator cannot map Samba Share from
> Windows 7"). So, even though logged in as the Domain Administrator I
> started mapping the Samba shares with another domain user's
> credentials. That worked.
> 
> However, I believe when I change the password for that domain user,
> the Samba mapping on the SQL Server host does not use the new
> credentials.  I noticed that I was able to use the new credentials
> for a week or more at a time as long as I didn't log onto the SQL
> Server host as the Domain Administrator.  But, shortly after logging
> into the SQL Server host as the Domain Administrator I got the locked
> out message.  My guess is that the SQL Server host repeatedly
> attempted to reconnect the mapped drive using the now expired
> credentials until the max number of failed attempts was exceeded.
> Just a guess as there are no log messages about this on the AD/DC or
> the Samba share host. 

I did ask if something was using the wrong password, this is usually
the reason for locked accounts.

> 
> You (Roland) mention, "you really need Samba 4.7.0 onwards to get the
> authentication attempts in the logs".  I do currently get actual
> login attempt failures in the samba log, but apparently not share
> mapping attempts.  I'll likely stick with 4.4.16 as that is the
> current release for my distro, but I do look forward to more logging
> in a future upgrade. 

You really need to consider if using Slackware is such a good idea. I
know the basis behind it, the packages it offers have had all the bugs
ironed out. I wish this was true, it isn't. As far as Samba is
concerned, the 4.4 series is EOL and will not get any further updates.
So if you need something that has been added to later versions, you
have to rely on Slackware backporting it. I see that
'slackware-current' has 4.8.1, I would suggest you seeing if there is
any way of using this, but you cannot upgrade to 4.8.1 because of a
known bug. 

Rowland

More information about the samba mailing list