When joining to a Samba domain using passdb backend = ldapsam, the LDAP attribute sambaPwdLastSet is not set. That leads to NT_STATUS_PASSWORD_MUST_CHANGE messages.
A samba/ldap domain. After upgrading to versions greater than 3.0.24, there are problems with the timestamps which are correct set in the LDAP tree. Here are 2 examples: --------------------------------------------------- Example 1: Password can change=not empty LDAP: sambaPwdLastSet: 1205744729 sambaPwdMustChange: 1307828342 sambaPwdCanChange: 1192276342 sambaKickoffTime: 1228086000 Samba 3.0.24 -> correct: Logon time: Tue, 06 Feb 2007 16:07:05 CET Logoff time: Tue, 10 Feb 2004 09:18:42 CET Kickoff time: Mon, 01 Dec 2008 00:00:00 CET Password last set: Mon, 17 Mar 2008 10:05:29 CET Password can change: Sat, 13 Oct 2007 13:52:22 CEST Password must change: Sat, 11 Jun 2011 23:39:02 CEST Samba >3.0.24 -> incorrect: Logon time: Tue, 06 Feb 2007 16:07:05 CET Logoff time: Tue, 10 Feb 2004 09:18:42 CET Kickoff time: Mon, 01 Dec 2008 00:00:00 CET Password last set: Mon, 17 Mar 2008 10:05:29 CET Password can change: Mon, 17 Mar 2008 10:05:29 CET Password must change: Mon, 17 Mar 2008 10:06:59 CET --------------------------------------------------- Exapmle 2: Password can change=empty LDAP: sambaPwdLastSet: 1205738745 sambaPwdMustChange: 1208781070 sambaKickoffTime: 1230764400 sambaPwdCanChange -> doesnt exist Samba 3.0.24 -> correct: Logon time: Wed, 07 Feb 2007 20:00:12 CET Logoff time: Thu, 09 Oct 2003 08:04:28 CEST Kickoff time: Thu, 01 Jan 2009 00:00:00 CET Password last set: Mon, 17 Mar 2008 08:25:45 CET Password can change: 0 Password must change: Mon, 21 Apr 2008 14:31:10 CEST Samba >3.0.24 -> incorrect: Logon time: Wed, 07 Feb 2007 20:00:12 CET Logoff time: Thu, 09 Oct 2003 08:04:28 CEST Kickoff time: Thu, 01 Jan 2009 00:00:00 CET Password last set: Mon, 17 Mar 2008 08:25:45 CET Password can change: Mon, 17 Mar 2008 08:25:45 CET Password must change: Mon, 17 Mar 2008 08:27:15 CET --------------------------------------------------- The time sets for "Password can change:" and "Password must change:" are incorrect, that leads to that each user has to change his password every time he want to log in, because the "Password must change" is 1:30 minute later than "Password can change" which is the same value like "Password last set".
Join MS Vista to a samba (3.0.23/24) Domain (ldapsam). If I join the domain manually all works fine, but when I try the unattended method I got the following errors: 2008-03-04 02:58:32, Error [unattendedjoin.exe] Unattended Join: NetJoinDomain failed error code is [50] 2008-03-04 02:58:32, Error [unattendedjoin.exe] Unattended Join: Unable to join; gdwError = 0x32
(In reply to comment #2) > Join MS Vista to a samba (3.0.23/24) Domain (ldapsam). If I join the > domain manually all works fine, but when I try the unattended method I > got the following errors: > > 2008-03-04 02:58:32, Error [unattendedjoin.exe] > Unattended Join: NetJoinDomain failed error code is [50] > 2008-03-04 02:58:32, Error [unattendedjoin.exe] > Unattended Join: Unable to join; gdwError = 0x32 We do not support unattendedjoin before Samba 3.2. May I ask you to retest with Samba 3.2 and reopen a new bugzilla entry on that one?
Fixed with f65cb5d4b51e2e7b9b16b73e47cd2a8d55d5d4b0 (v3-2-test) and 36df2d4666be72fe9254fa3c1188816e7f49a68c (v3-0-test).