Bug 2874 - winbind successfuly authenicating old password
Summary: winbind successfuly authenicating old password
Status: RESOLVED INVALID
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: winbind (show other bugs)
Version: 3.0.14a
Hardware: All Solaris
: P3 normal
Target Milestone: none
Assignee: Gerald (Jerry) Carter (dead mail address)
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2005-07-13 11:28 UTC by mchugh19@yahoo.com
Modified: 2005-10-05 07:11 UTC (History)
0 users

See Also:


Attachments
winbindd log at debug 10 (700.37 KB, text/plain)
2005-07-13 11:29 UTC, mchugh19@yahoo.com
no flags Details
tethereal capture while authenicating (139.21 KB, application/octet-stream)
2005-07-13 11:32 UTC, mchugh19@yahoo.com
no flags Details
actual winbindd log at debug 10 (121.45 KB, application/gzip)
2005-07-13 11:35 UTC, mchugh19@yahoo.com
no flags Details
the pam.conf used (8.18 KB, text/plain)
2005-07-14 08:46 UTC, mchugh19@yahoo.com
no flags Details
the smb.conf used (854 bytes, text/plain)
2005-07-14 08:47 UTC, mchugh19@yahoo.com
no flags Details
winbind log at debug 10 (88.21 KB, text/x-gzip)
2005-07-20 09:45 UTC, mchugh19@yahoo.com
no flags Details
debug 10 (88.21 KB, application/gzip)
2005-07-20 09:49 UTC, mchugh19@yahoo.com
no flags Details
log.winbindd of Auth success against OLD and NEW Passwords (610.92 KB, text/plain)
2005-10-03 14:15 UTC, Brian Moran
no flags Details
Successful login with OLD and NEW passwords (299.48 KB, text/plain)
2005-10-03 14:15 UTC, Brian Moran
no flags Details
Successful LOGIN with OLD and NEW Passwords (5.72 KB, text/plain)
2005-10-03 14:16 UTC, Brian Moran
no flags Details
Ethereal Dump of OLD and NEW password AUTH (434.07 KB, application/octet-stream)
2005-10-03 14:17 UTC, Brian Moran
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description mchugh19@yahoo.com 2005-07-13 11:28:51 UTC
Running winbind on solaris 9 works for authenication. However after loggin in
and changing the windows password, then logging out, winbind still authenicates
the user with their old password, as well as their new password. Windows clients
do not accept the old password.
Comment 1 mchugh19@yahoo.com 2005-07-13 11:29:48 UTC
Created attachment 1302 [details]
winbindd log at debug 10

This is logging the activities of loggin on the system with a valid password,
changing the password, logging off, loggin on with the old password, logging
off, then logging on with the vaid password
Comment 2 mchugh19@yahoo.com 2005-07-13 11:32:46 UTC
Created attachment 1303 [details]
tethereal capture while authenicating
Comment 3 mchugh19@yahoo.com 2005-07-13 11:35:13 UTC
Created attachment 1304 [details]
actual winbindd log at debug 10
Comment 4 Gerald (Jerry) Carter (dead mail address) 2005-07-14 06:56:49 UTC
This is not a winbindd issue as far as I can tell.  How are you 
connecting and f4rom what client?  Most of the authentication 
request I see are ticket based connections in the SMBsesssetup&X
requests.  I seem 4 netsamlogon() request following the change 
password requests but since the packets are encrypted I cannot tell 
if they are for the same user.  

Are you sure you are not dealing with some type of AD synchronization 
issue?  Winbindd just asks sthe DC to authenticate the user.  
We don't cache the password anywhere.
Comment 5 mchugh19@yahoo.com 2005-07-14 08:45:46 UTC
This is a test machine solaris 9, samba 3.14a, authenicating against a windows 
2003 domain. I don't really know what you mean by how are you connecting. I 
have testing this behavior with openssh as well as dtlogin via "other" in pam. 
Comment 6 mchugh19@yahoo.com 2005-07-14 08:46:32 UTC
Created attachment 1306 [details]
the pam.conf used

Applicable sections are ssh and other
Comment 7 mchugh19@yahoo.com 2005-07-14 08:47:03 UTC
Created attachment 1307 [details]
the smb.conf used
Comment 8 mchugh19@yahoo.com 2005-07-14 08:50:01 UTC
Also like I said, I start a citrix connection as I log in with a .login. The 
windows citrix connection refused the old password, so it cannot be an ad sync 
issue. The unix winbind client will still successfully authenticate the old 
password for an hour. 
Comment 9 Gerald (Jerry) Carter (dead mail address) 2005-07-15 15:26:01 UTC
I'm still not anywhere near convinced that there is a 
bug here.  Winbindd cannot authenticate using old passwords
since it doesn't cache the original password.  There is *no* 
history kept from previous authentications.

I do see one error in your winbindd log:

    could not open file /usr/local/samba/var/locks/winbindd_cache.tdb: 
    No such file or directory

I see 6 authentication attempts for the user mcm75test.
Each pair has one failure with "wrong password" and one that 
succeeds.
Comment 10 mchugh19@yahoo.com 2005-07-15 16:31:19 UTC
I don't know what I can do to convince you. You have my smb.conf and pam.conf, 
so you can see if I am doing anything blatantly wrong (I don't think I am). 
Like you said, it shows failed attempts, but like I said in my comment of the 
winbind log, some of those attempts worked. Also like I said old passwords stop 
working after some time. Maybe it is a bug in solaris pam? Do you know of any 
way for me to find out more info as to the true cause? As for the cache tdb not 
existing that makes sense as I deleted it when this problem started, and am now 
starting winbind with -n.  
Comment 11 Gerald (Jerry) Carter (dead mail address) 2005-07-19 08:05:31 UTC
Christian, would you send me the winbind log for 
one successful login using an old password ?  I'm just trying 
to narrow the window of failure.

One different here as well is the Windows servers are probably
using kerberos tickets for authentication and pam_winbind is 
using NTLM.  Can you verify that NTLM authentication from 
the Windows server is not working in your experiements?
Comment 12 mchugh19@yahoo.com 2005-07-20 09:45:48 UTC
Created attachment 1322 [details]
winbind log at debug 10

Log of winbind authenicating successfully an invalid password
Comment 13 mchugh19@yahoo.com 2005-07-20 09:46:56 UTC
Can you verify that NTLM authentication from the Windows server is not working
in your experiements?

How would I go about that?

Comment 14 mchugh19@yahoo.com 2005-07-20 09:49:08 UTC
Created attachment 1323 [details]
debug 10

Only contains the action of logging in with a just changed password
Comment 15 Brian Moran 2005-10-03 12:58:55 UTC
We have a repro with wbinfo:

<Change domain password on domain to which his Linux workstation is joined>

wbinfo –a CORP+aglabek%<new password>
challenge/response password authentication succeeded

wbinfo –a CORP+aglabek%<old password>
challenge/response password authentication succeeded

wbinfo –a CORP+aglabek%<some random characters (bad password)>
challenge/response password authentication failed

This is with 3.0.20.
Comment 16 Brian Moran 2005-10-03 14:15:17 UTC
Created attachment 1469 [details]
log.winbindd of Auth success against OLD and NEW Passwords
Comment 17 Brian Moran 2005-10-03 14:15:57 UTC
Created attachment 1470 [details]
Successful login with OLD and NEW passwords
Comment 18 Brian Moran 2005-10-03 14:16:18 UTC
Created attachment 1471 [details]
Successful LOGIN with OLD and NEW Passwords
Comment 19 Brian Moran 2005-10-03 14:17:04 UTC
Created attachment 1472 [details]
Ethereal Dump of OLD and NEW password AUTH
Comment 20 Jeremy Allison 2005-10-04 10:36:31 UTC
We now have proof from Andrew Bartlett that Windows 2003 is authenticating old
passwords as well as current one. This is not a Samba bug, but a Windows one.
Andrew Bartlett is contacting Microsoft with his work on this. I'd recommend
closing this one out as we cannot fix it. The only fix for now is to use a Samba
PDC not a Windows 2003 one.
Jeremy.
Comment 21 Gerald (Jerry) Carter (dead mail address) 2005-10-05 07:11:58 UTC
Marking as invalid.  Windows bug, not ours.