I use samba as an Active Directory Domain Controller to validate Windows machines and mail pop3 users (Dovecot). I don't really know in which version started this behaviour. I have detected it when I upgraded from samba_4.8.12 (who works fine) to samba_4.14.13. I have also tried samba_4.15 and samba_4.16 whith same results. Using LDAP bind to authenticate an user, last two passwords returns true. This doesn't happen when I validate a Windows10 user against the domain controller. Steps: 1. Create a new user: smbpasswd -a testuser (password: Testpass01) 2. Check that validates Ok in Windows and LDAP. 3. Change password: smbpasswd testuser (password: Testpass02) 4. Check that in Windows works as expected: testuser/Testpass02 validates but testuser/Testpass01 don't. LDAP bind answers true in both cases 5. Change password again: smbpasswd testuser (password: Testpass03) 4. Now Windows only accepts testuser/Testpass03, but LDAP bind answers false with testuser/Testpass01 and true with testuser/Testpass02 and testuser/Testpass03
(In reply to Gonzalo from comment #0) You say that you are running Samba as an AD DC, yet you appear to be going wrong at step 1. I would expect you to be running 'samba-tool user add testuser Testpass01' I think we need to see your smb.conf, please add it as an attachment.
Created attachment 17445 [details] smb.conf smb.conf as requested
(In reply to Rowland Penny from comment #1) I have repeated the steps replacing smbpasswd for samba-tool with same result.
(In reply to Gonzalo from comment #3) This isn't a Samba problem, it is just complying with what Microsoft expects, see here: https://docs.microsoft.com/en-GB/troubleshoot/windows-server/windows-security/new-setting-modifies-ntlm-network-authentication Or to put it another way, just wait an hour and the old password will not work.
(In reply to Rowland Penny from comment #4) Samba has it as 'old password allowed period = 60' per default...
(In reply to Rowland Penny from comment #4) That's right. Thank you very much. Adding 'old password allowed period = 0' to smb.conf gets back to the old behaviour.
(In reply to Gonzalo from comment #6) Closing this, Samba was working as expected.