Bug 15129 - LDAP bind. Last two password are valid
Summary: LDAP bind. Last two password are valid
Status: RESOLVED WORKSFORME
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.14.13
Hardware: All All
: P5 major (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-07-25 10:43 UTC by Gonzalo
Modified: 2022-07-28 16:04 UTC (History)
0 users

See Also:


Attachments
smb.conf (1.34 KB, text/plain)
2022-07-26 06:35 UTC, Gonzalo
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Gonzalo 2022-07-25 10:43:33 UTC
I use samba as an Active Directory Domain Controller to validate Windows machines and mail pop3 users (Dovecot).

I don't really know in which version started this behaviour. I have detected it when I upgraded from samba_4.8.12 (who works fine) to samba_4.14.13. I have also tried samba_4.15 and samba_4.16 whith same results.

Using LDAP bind to authenticate an user, last two passwords returns true. This doesn't happen when I validate a Windows10 user against the domain controller.

Steps:

1. Create a new user: smbpasswd -a testuser (password: Testpass01)
2. Check that validates Ok in Windows and LDAP.
3. Change password: smbpasswd testuser (password: Testpass02)
4. Check that in Windows works as expected: testuser/Testpass02 validates but testuser/Testpass01 don't. LDAP bind answers true in both cases
5. Change password again: smbpasswd testuser (password: Testpass03)
4. Now Windows only accepts testuser/Testpass03, but LDAP bind answers false with testuser/Testpass01 and true with testuser/Testpass02 and testuser/Testpass03
Comment 1 Rowland Penny 2022-07-25 12:19:18 UTC
(In reply to Gonzalo from comment #0)
You say that you are running Samba as an AD DC, yet you appear to be going wrong at step 1. I would expect you to be running 'samba-tool user add testuser Testpass01'

I think we need to see your smb.conf, please add it as an attachment.
Comment 2 Gonzalo 2022-07-26 06:35:33 UTC
Created attachment 17445 [details]
smb.conf

smb.conf as requested
Comment 3 Gonzalo 2022-07-26 06:36:12 UTC
(In reply to Rowland Penny from comment #1)
I have repeated the steps replacing smbpasswd for samba-tool with same result.
Comment 4 Rowland Penny 2022-07-26 11:11:56 UTC
(In reply to Gonzalo from comment #3)
This isn't a Samba problem, it is just complying with what Microsoft expects, see here:

https://docs.microsoft.com/en-GB/troubleshoot/windows-server/windows-security/new-setting-modifies-ntlm-network-authentication

Or to put it another way, just wait an hour and the old password will not work.
Comment 5 Stefan Metzmacher 2022-07-26 15:09:37 UTC
(In reply to Rowland Penny from comment #4)

Samba has it as 'old password allowed period = 60' per default...
Comment 6 Gonzalo 2022-07-28 08:13:57 UTC
(In reply to Rowland Penny from comment #4)
That's right. Thank you very much.

Adding 'old password allowed period = 0' to smb.conf gets back to the old behaviour.
Comment 7 Rowland Penny 2022-07-28 16:04:28 UTC
(In reply to Gonzalo from comment #6)
Closing this, Samba was working as expected.