2874 – winbind successfuly authenicating old password

Bug 2874 - winbind successfuly authenicating old password

Summary: winbind successfuly authenicating old password

Status:	RESOLVED INVALID

Alias:	None

Product:	Samba 3.0
Classification:	Unclassified
Component:	winbind (show other bugs)
Version:	3.0.14a
Hardware:	All Solaris

Importance:	P3 normal
Target Milestone:	none
Assignee:	Gerald (Jerry) Carter (dead mail address)
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2005-07-13 11:28 UTC by mchugh19@yahoo.com
Modified:	2005-10-05 07:11 UTC (History)
CC List:	0 users

See Also:

Attachments
winbindd log at debug 10 (700.37 KB, text/plain) 2005-07-13 11:29 UTC, mchugh19@yahoo.com	no flags	Details
tethereal capture while authenicating (139.21 KB, application/octet-stream) 2005-07-13 11:32 UTC, mchugh19@yahoo.com	no flags	Details
actual winbindd log at debug 10 (121.45 KB, application/gzip) 2005-07-13 11:35 UTC, mchugh19@yahoo.com	no flags	Details
the pam.conf used (8.18 KB, text/plain) 2005-07-14 08:46 UTC, mchugh19@yahoo.com	no flags	Details
the smb.conf used (854 bytes, text/plain) 2005-07-14 08:47 UTC, mchugh19@yahoo.com	no flags	Details
winbind log at debug 10 (88.21 KB, text/x-gzip) 2005-07-20 09:45 UTC, mchugh19@yahoo.com	no flags	Details
debug 10 (88.21 KB, application/gzip) 2005-07-20 09:49 UTC, mchugh19@yahoo.com	no flags	Details
log.winbindd of Auth success against OLD and NEW Passwords (610.92 KB, text/plain) 2005-10-03 14:15 UTC, Brian Moran	no flags	Details
Successful login with OLD and NEW passwords (299.48 KB, text/plain) 2005-10-03 14:15 UTC, Brian Moran	no flags	Details
Successful LOGIN with OLD and NEW Passwords (5.72 KB, text/plain) 2005-10-03 14:16 UTC, Brian Moran	no flags	Details
Ethereal Dump of OLD and NEW password AUTH (434.07 KB, application/octet-stream) 2005-10-03 14:17 UTC, Brian Moran	no flags	Details
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description mchugh19@yahoo.com 2005-07-13 11:28:51 UTC

Running winbind on solaris 9 works for authenication. However after loggin in
and changing the windows password, then logging out, winbind still authenicates
the user with their old password, as well as their new password. Windows clients
do not accept the old password.

Comment 1 mchugh19@yahoo.com 2005-07-13 11:29:48 UTC

Created attachment 1302 [details]
winbindd log at debug 10

This is logging the activities of loggin on the system with a valid password,
changing the password, logging off, loggin on with the old password, logging
off, then logging on with the vaid password

Comment 2 mchugh19@yahoo.com 2005-07-13 11:32:46 UTC

Created attachment 1303 [details]
tethereal capture while authenicating

Comment 3 mchugh19@yahoo.com 2005-07-13 11:35:13 UTC

Created attachment 1304 [details]
actual winbindd log at debug 10

Comment 4 Gerald (Jerry) Carter (dead mail address) 2005-07-14 06:56:49 UTC

This is not a winbindd issue as far as I can tell.  How are you 
connecting and f4rom what client?  Most of the authentication 
request I see are ticket based connections in the SMBsesssetup&X
requests.  I seem 4 netsamlogon() request following the change 
password requests but since the packets are encrypted I cannot tell 
if they are for the same user.  

Are you sure you are not dealing with some type of AD synchronization 
issue?  Winbindd just asks sthe DC to authenticate the user.  
We don't cache the password anywhere.

Comment 5 mchugh19@yahoo.com 2005-07-14 08:45:46 UTC

This is a test machine solaris 9, samba 3.14a, authenicating against a windows 
2003 domain. I don't really know what you mean by how are you connecting. I 
have testing this behavior with openssh as well as dtlogin via "other" in pam.

Comment 6 mchugh19@yahoo.com 2005-07-14 08:46:32 UTC

Created attachment 1306 [details]
the pam.conf used

Applicable sections are ssh and other

Comment 7 mchugh19@yahoo.com 2005-07-14 08:47:03 UTC

Created attachment 1307 [details]
the smb.conf used

Comment 8 mchugh19@yahoo.com 2005-07-14 08:50:01 UTC

Also like I said, I start a citrix connection as I log in with a .login. The 
windows citrix connection refused the old password, so it cannot be an ad sync 
issue. The unix winbind client will still successfully authenticate the old 
password for an hour.

Comment 9 Gerald (Jerry) Carter (dead mail address) 2005-07-15 15:26:01 UTC

I'm still not anywhere near convinced that there is a 
bug here.  Winbindd cannot authenticate using old passwords
since it doesn't cache the original password.  There is *no* 
history kept from previous authentications.

I do see one error in your winbindd log:

    could not open file /usr/local/samba/var/locks/winbindd_cache.tdb: 
    No such file or directory

I see 6 authentication attempts for the user mcm75test.
Each pair has one failure with "wrong password" and one that 
succeeds.

Comment 10 mchugh19@yahoo.com 2005-07-15 16:31:19 UTC

I don't know what I can do to convince you. You have my smb.conf and pam.conf, 
so you can see if I am doing anything blatantly wrong (I don't think I am). 
Like you said, it shows failed attempts, but like I said in my comment of the 
winbind log, some of those attempts worked. Also like I said old passwords stop 
working after some time. Maybe it is a bug in solaris pam? Do you know of any 
way for me to find out more info as to the true cause? As for the cache tdb not 
existing that makes sense as I deleted it when this problem started, and am now 
starting winbind with -n.

Comment 11 Gerald (Jerry) Carter (dead mail address) 2005-07-19 08:05:31 UTC

Christian, would you send me the winbind log for 
one successful login using an old password ?  I'm just trying 
to narrow the window of failure.

One different here as well is the Windows servers are probably
using kerberos tickets for authentication and pam_winbind is 
using NTLM.  Can you verify that NTLM authentication from 
the Windows server is not working in your experiements?

Comment 12 mchugh19@yahoo.com 2005-07-20 09:45:48 UTC

Created attachment 1322 [details]
winbind log at debug 10

Log of winbind authenicating successfully an invalid password

Comment 13 mchugh19@yahoo.com 2005-07-20 09:46:56 UTC

Can you verify that NTLM authentication from the Windows server is not working
in your experiements?

How would I go about that?

Comment 14 mchugh19@yahoo.com 2005-07-20 09:49:08 UTC

Created attachment 1323 [details]
debug 10

Only contains the action of logging in with a just changed password

Comment 15 Brian Moran 2005-10-03 12:58:55 UTC

We have a repro with wbinfo:

<Change domain password on domain to which his Linux workstation is joined>

wbinfo –a CORP+aglabek%<new password>
challenge/response password authentication succeeded

wbinfo –a CORP+aglabek%<old password>
challenge/response password authentication succeeded

wbinfo –a CORP+aglabek%<some random characters (bad password)>
challenge/response password authentication failed

This is with 3.0.20.

Comment 16 Brian Moran 2005-10-03 14:15:17 UTC

Created attachment 1469 [details]
log.winbindd of Auth success against OLD and NEW Passwords

Comment 17 Brian Moran 2005-10-03 14:15:57 UTC

Created attachment 1470 [details]
Successful login with OLD and NEW passwords

Comment 18 Brian Moran 2005-10-03 14:16:18 UTC

Created attachment 1471 [details]
Successful LOGIN with OLD and NEW Passwords

Comment 19 Brian Moran 2005-10-03 14:17:04 UTC

Created attachment 1472 [details]
Ethereal Dump of OLD and NEW password AUTH

Comment 20 Jeremy Allison 2005-10-04 10:36:31 UTC

We now have proof from Andrew Bartlett that Windows 2003 is authenticating old
passwords as well as current one. This is not a Samba bug, but a Windows one.
Andrew Bartlett is contacting Microsoft with his work on this. I'd recommend
closing this one out as we cannot fix it. The only fix for now is to use a Samba
PDC not a Windows 2003 one.
Jeremy.

Comment 21 Gerald (Jerry) Carter (dead mail address) 2005-10-05 07:11:58 UTC

Marking as invalid.  Windows bug, not ours.