Bug 15129 - LDAP bind. Last two password are valid
Summary: LDAP bind. Last two password are valid
Status: RESOLVED WORKSFORME
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.14.13
Hardware: All All
: P5 major (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-07-25 10:43 UTC by Gonzalo
Modified: 2022-07-28 16:04 UTC (History)
0 users

See Also:

Attachments
smb.conf (1.34 KB, text/plain)
2022-07-26 06:35 UTC, Gonzalo 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Gonzalo 2022-07-25 10:43:33 UTC 
I use samba as an Active Directory Domain Controller to validate Windows machines and mail pop3 users (Dovecot).

I don't really know in which version started this behaviour. I have detected it when I upgraded from samba_4.8.12 (who works fine) to samba_4.14.13. I have also tried samba_4.15 and samba_4.16 whith same results.

Using LDAP bind to authenticate an user, last two passwords returns true. This doesn't happen when I validate a Windows10 user against the domain controller.

Steps:

1. Create a new user: smbpasswd -a testuser (password: Testpass01)
2. Check that validates Ok in Windows and LDAP.
3. Change password: smbpasswd testuser (password: Testpass02)
4. Check that in Windows works as expected: testuser/Testpass02 validates but testuser/Testpass01 don't. LDAP bind answers true in both cases
5. Change password again: smbpasswd testuser (password: Testpass03)
4. Now Windows only accepts testuser/Testpass03, but LDAP bind answers false with testuser/Testpass01 and true with testuser/Testpass02 and testuser/Testpass03
Comment 1 Rowland Penny 2022-07-25 12:19:18 UTC 
(In reply to Gonzalo from comment #0)
You say that you are running Samba as an AD DC, yet you appear to be going wrong at step 1. I would expect you to be running 'samba-tool user add testuser Testpass01'

I think we need to see your smb.conf, please add it as an attachment.
Comment 2 Gonzalo 2022-07-26 06:35:33 UTC 
Created attachment 17445 [details]
smb.conf

smb.conf as requested
Comment 3 Gonzalo 2022-07-26 06:36:12 UTC 
(In reply to Rowland Penny from comment #1)
I have repeated the steps replacing smbpasswd for samba-tool with same result.
Comment 4 Rowland Penny 2022-07-26 11:11:56 UTC 
(In reply to Gonzalo from comment #3)
This isn't a Samba problem, it is just complying with what Microsoft expects, see here:

https://docs.microsoft.com/en-GB/troubleshoot/windows-server/windows-security/new-setting-modifies-ntlm-network-authentication

Or to put it another way, just wait an hour and the old password will not work.
Comment 5 Stefan Metzmacher 2022-07-26 15:09:37 UTC 
(In reply to Rowland Penny from comment #4)

Samba has it as 'old password allowed period = 60' per default...
Comment 6 Gonzalo 2022-07-28 08:13:57 UTC 
(In reply to Rowland Penny from comment #4)
That's right. Thank you very much.

Adding 'old password allowed period = 0' to smb.conf gets back to the old behaviour.
Comment 7 Rowland Penny 2022-07-28 16:04:28 UTC 
(In reply to Gonzalo from comment #6)
Closing this, Samba was working as expected.