Bug 5336 - sambaPwdLastSet is not set during domain join
sambaPwdLastSet is not set during domain join
Status: RESOLVED FIXED
Product: Samba 3.2
Classification: Unclassified
Component: Domain Control
3.2.0
x86 Linux
: P3 normal
: ---
Assigned To: Guenther Deschner
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2008-03-18 05:59 UTC by Karolin Seeger
Modified: 2008-03-27 08:57 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Karolin Seeger 2008-03-18 05:59:54 UTC
When joining to a Samba domain using passdb backend = ldapsam, the LDAP
attribute sambaPwdLastSet is not set. That leads to NT_STATUS_PASSWORD_MUST_CHANGE messages.
Comment 1 Mario Gzuk 2008-03-18 10:12:32 UTC
A samba/ldap domain. After upgrading to versions greater than
3.0.24, there are problems with the timestamps which are correct set in
the LDAP tree.
Here are 2 examples:
---------------------------------------------------
Example 1: 
Password can change=not empty
LDAP:
sambaPwdLastSet: 1205744729
sambaPwdMustChange: 1307828342
sambaPwdCanChange: 1192276342
sambaKickoffTime: 1228086000

Samba 3.0.24 -> correct:
Logon time:           Tue, 06 Feb 2007 16:07:05 CET
Logoff time:          Tue, 10 Feb 2004 09:18:42 CET
Kickoff time:         Mon, 01 Dec 2008 00:00:00 CET
Password last set:    Mon, 17 Mar 2008 10:05:29 CET
Password can change:  Sat, 13 Oct 2007 13:52:22 CEST
Password must change: Sat, 11 Jun 2011 23:39:02 CEST


Samba >3.0.24 -> incorrect:
Logon time:           Tue, 06 Feb 2007 16:07:05 CET
Logoff time:          Tue, 10 Feb 2004 09:18:42 CET
Kickoff time:         Mon, 01 Dec 2008 00:00:00 CET
Password last set:    Mon, 17 Mar 2008 10:05:29 CET
Password can change:  Mon, 17 Mar 2008 10:05:29 CET
Password must change: Mon, 17 Mar 2008 10:06:59 CET
---------------------------------------------------
Exapmle 2:
Password can change=empty
LDAP:
sambaPwdLastSet: 1205738745
sambaPwdMustChange: 1208781070
sambaKickoffTime: 1230764400
sambaPwdCanChange -> doesnt exist

Samba 3.0.24 -> correct:
Logon time:           Wed, 07 Feb 2007 20:00:12 CET
Logoff time:          Thu, 09 Oct 2003 08:04:28 CEST
Kickoff time:         Thu, 01 Jan 2009 00:00:00 CET
Password last set:    Mon, 17 Mar 2008 08:25:45 CET
Password can change:  0
Password must change: Mon, 21 Apr 2008 14:31:10 CEST

Samba >3.0.24 -> incorrect:
Logon time:           Wed, 07 Feb 2007 20:00:12 CET
Logoff time:          Thu, 09 Oct 2003 08:04:28 CEST
Kickoff time:         Thu, 01 Jan 2009 00:00:00 CET
Password last set:    Mon, 17 Mar 2008 08:25:45 CET
Password can change:  Mon, 17 Mar 2008 08:25:45 CET
Password must change: Mon, 17 Mar 2008 08:27:15 CET
---------------------------------------------------

The time sets for "Password can change:" and "Password must change:" are
incorrect, that leads to that each user has to change his password every
time he want to log in, because the "Password must change" is 1:30
minute later than "Password can change" which is the same value like
"Password last set".
Comment 2 Mario Gzuk 2008-03-18 10:13:47 UTC
Join MS Vista to a samba (3.0.23/24) Domain (ldapsam). If I join the
domain manually all works fine, but when I try the unattended method I
got the following errors:

2008-03-04 02:58:32, Error                        [unattendedjoin.exe]
Unattended Join: NetJoinDomain failed error code is [50]
2008-03-04 02:58:32, Error                        [unattendedjoin.exe]
Unattended Join: Unable to join; gdwError = 0x32
Comment 3 Guenther Deschner 2008-03-18 15:29:21 UTC
(In reply to comment #2)
> Join MS Vista to a samba (3.0.23/24) Domain (ldapsam). If I join the
> domain manually all works fine, but when I try the unattended method I
> got the following errors:
> 
> 2008-03-04 02:58:32, Error                        [unattendedjoin.exe]
> Unattended Join: NetJoinDomain failed error code is [50]
> 2008-03-04 02:58:32, Error                        [unattendedjoin.exe]
> Unattended Join: Unable to join; gdwError = 0x32

We do not support unattendedjoin before Samba 3.2. May I ask you to retest with Samba 3.2 and reopen a new bugzilla entry on that one?
Comment 4 Karolin Seeger 2008-03-27 08:57:15 UTC
Fixed with f65cb5d4b51e2e7b9b16b73e47cd2a8d55d5d4b0 (v3-2-test) and
36df2d4666be72fe9254fa3c1188816e7f49a68c (v3-0-test).