Running winbind on solaris 9 works for authenication. However after loggin in and changing the windows password, then logging out, winbind still authenicates the user with their old password, as well as their new password. Windows clients do not accept the old password.
Created attachment 1302 [details] winbindd log at debug 10 This is logging the activities of loggin on the system with a valid password, changing the password, logging off, loggin on with the old password, logging off, then logging on with the vaid password
Created attachment 1303 [details] tethereal capture while authenicating
Created attachment 1304 [details] actual winbindd log at debug 10
This is not a winbindd issue as far as I can tell. How are you connecting and f4rom what client? Most of the authentication request I see are ticket based connections in the SMBsesssetup&X requests. I seem 4 netsamlogon() request following the change password requests but since the packets are encrypted I cannot tell if they are for the same user. Are you sure you are not dealing with some type of AD synchronization issue? Winbindd just asks sthe DC to authenticate the user. We don't cache the password anywhere.
This is a test machine solaris 9, samba 3.14a, authenicating against a windows 2003 domain. I don't really know what you mean by how are you connecting. I have testing this behavior with openssh as well as dtlogin via "other" in pam.
Created attachment 1306 [details] the pam.conf used Applicable sections are ssh and other
Created attachment 1307 [details] the smb.conf used
Also like I said, I start a citrix connection as I log in with a .login. The windows citrix connection refused the old password, so it cannot be an ad sync issue. The unix winbind client will still successfully authenticate the old password for an hour.
I'm still not anywhere near convinced that there is a bug here. Winbindd cannot authenticate using old passwords since it doesn't cache the original password. There is *no* history kept from previous authentications. I do see one error in your winbindd log: could not open file /usr/local/samba/var/locks/winbindd_cache.tdb: No such file or directory I see 6 authentication attempts for the user mcm75test. Each pair has one failure with "wrong password" and one that succeeds.
I don't know what I can do to convince you. You have my smb.conf and pam.conf, so you can see if I am doing anything blatantly wrong (I don't think I am). Like you said, it shows failed attempts, but like I said in my comment of the winbind log, some of those attempts worked. Also like I said old passwords stop working after some time. Maybe it is a bug in solaris pam? Do you know of any way for me to find out more info as to the true cause? As for the cache tdb not existing that makes sense as I deleted it when this problem started, and am now starting winbind with -n.
Christian, would you send me the winbind log for one successful login using an old password ? I'm just trying to narrow the window of failure. One different here as well is the Windows servers are probably using kerberos tickets for authentication and pam_winbind is using NTLM. Can you verify that NTLM authentication from the Windows server is not working in your experiements?
Created attachment 1322 [details] winbind log at debug 10 Log of winbind authenicating successfully an invalid password
Can you verify that NTLM authentication from the Windows server is not working in your experiements? How would I go about that?
Created attachment 1323 [details] debug 10 Only contains the action of logging in with a just changed password
We have a repro with wbinfo: <Change domain password on domain to which his Linux workstation is joined> wbinfo –a CORP+aglabek%<new password> challenge/response password authentication succeeded wbinfo –a CORP+aglabek%<old password> challenge/response password authentication succeeded wbinfo –a CORP+aglabek%<some random characters (bad password)> challenge/response password authentication failed This is with 3.0.20.
Created attachment 1469 [details] log.winbindd of Auth success against OLD and NEW Passwords
Created attachment 1470 [details] Successful login with OLD and NEW passwords
Created attachment 1471 [details] Successful LOGIN with OLD and NEW Passwords
Created attachment 1472 [details] Ethereal Dump of OLD and NEW password AUTH
We now have proof from Andrew Bartlett that Windows 2003 is authenticating old passwords as well as current one. This is not a Samba bug, but a Windows one. Andrew Bartlett is contacting Microsoft with his work on this. I'd recommend closing this one out as we cannot fix it. The only fix for now is to use a Samba PDC not a Windows 2003 one. Jeremy.
Marking as invalid. Windows bug, not ours.