Bug 4085 - smbpasswd doesn't change expired password on remote machine
Summary: smbpasswd doesn't change expired password on remote machine
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: Client Tools (show other bugs)
Version: 3.0.23a
Hardware: x86 Linux
: P3 normal
Target Milestone: none
Assignee: Samba Bugzilla Account
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2006-09-07 02:28 UTC by Dmitry Balakshin
Modified: 2006-11-06 13:21 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Dmitry Balakshin 2006-09-07 02:28:54 UTC
When trying to change password on a remote machine after it expired I've got the following:

$>smbpasswd -D 10 -r server domain\\username
    ...
SPNEGO login failed: Password expired
Could not connect to machine server: NT_STATUS_PASSWORD_EXPIRED
Failed to modify password entry for user domain\username

When trying log in on ordinary Win2K box, system says: "Password expired and must be changed". And then allows me to perform desired change.

I don't know what Windows version is installed on server, but according to nmap-4.11:

$> nmap -v -O server
    ...
Running: Microsoft Windows NT/2K/XP
OS details: Microsoft Windows XP Pro SP1/SP2 or 2000 SP4

My suggestion. In source/libsmb/passchange.c : remote_password_change()
    ...
    if (!NT_STATUS_IS_OK(result)) {

        /* Password must change is the only valid error
         * condition here from where we can proceed, the rest
         * like account locked out or logon failure will lead
         * to errors later anyway */

       if (!NT_STATUS_EQUAL(result,
                            NT_STATUS_PASSWORD_MUST_CHANGE)) {
    ...

May be it should also check for NT_STATUS_PASSWORD_EXPIRED.
Comment 1 Nils Nordman 2006-11-06 03:21:23 UTC
I'll second this. Just today I run into the same issue and had to modify the code in the way proposed in the opening ticket which then worked fine. My patch below:

--- passchange.c.bak    2006-11-06 10:12:22.000000000 +0100
+++ passchange.c        2006-11-06 08:59:04.000000000 +0100
@@ -86,7 +86,10 @@
                         * to errors later anyway */

                        if (!NT_STATUS_EQUAL(result,
-                                            NT_STATUS_PASSWORD_MUST_CHANGE)) {
+                                            NT_STATUS_PASSWORD_MUST_CHANGE) &&
+                            !NT_STATUS_EQUAL(result,
+                                            NT_STATUS_PASSWORD_EXPIRED)
+                            ) {
                                slprintf(err_str, err_str_len-1, "Could not "
                                         "connect to machine %s: %s\n",
                                         remote_machine, cli_errstr(&cli));
Comment 2 Jeremy Allison 2006-11-06 13:21:52 UTC
Applied for next release - thanks !
Jeremy.