My samba: Version 4.0.0alpha7 I have users with userAccountControl with PASSWD_NOTREQD (as this flag is set by default for new user due to the value of 546 in templates.ldb) and some othere without (because created before the change of the default value). A few days ago, when users had their password expired, we face a problem with users whose account had the flag PASSWD_NOTREQD set. It turns out that windows show them a window saying that their password is expired so they change it and have the confirmation that the password is changed. But under the hood, the password wasn't: doing a kinit myuser on the server worked only worked with old password. Trying to set the password through ADCU wasn't successful also, but trying kpasswd worked. After unseting PASSWD_NOTREQD flags, all the accounts were able to change their password, so my guess is that the way samba4 handle now this flag is not the good one.
We (tridge and I) have been unable to reproduce this with the current code, and a WinXP client changing it's password after expiry. Is is at all possible you could get me a network trace of the failure? Also, see if you get the failure using current (we just fixed some bugs) 'net password change' from Samba4 (this will give as a simpler way to reproduce). Perhaps something changed in the current code (we corrected some aspects of the PASSWD_NOTREQD behaviour)? Thanks,
I've made a more precise analysis. I definitly still have the problem. But it turns out that the password had to be still valid (ie. expire within 1/2 days). Because if the password is expired then no problem occurs. I made a tcpdump capture hope it will be more explicit (maybe you'll need the keytab). I tried with net password but I got this : /usr/local/samba/bin/net password change user Processing section "[netlogon]" Processing section "[sysvol]" pm_process() returned Yes adding hidden service IPC$ adding hidden service ADMIN$ GENSEC backend 'sasl-DIGEST-MD5' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered GENSEC backend 'schannel' registered GENSEC backend 'spnego' registered GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'ntlmssp' registered added interface ip=10.6.1.1 nmask=255.255.255.192 added interface ip=192.168.99.2 nmask=255.255.255.0 added interface ip=10.6.1.1 nmask=255.255.255.192 added interface ip=192.168.99.2 nmask=255.255.255.0 Password for [user@SMB4.TST]: ndr_push_error(16): NULL [ref] pointer Mapped to DCERPC endpoint \pipe\samr added interface ip=10.6.1.1 nmask=255.255.255.192 added interface ip=192.168.99.2 nmask=255.255.255.0 added interface ip=10.6.1.1 nmask=255.255.255.192 added interface ip=192.168.99.2 nmask=255.255.255.0 Shutdown SMB signing BSRSPYL SMB signing enabled Shutdown SMB signing Starting GENSEC mechanism spnego Server claims it's principal name is TEST$@SMB4.TST Starting GENSEC submechanism gssapi_krb5 Received smb_krb5 packet of length 225 Received smb_krb5 packet of length 1176 Received smb_krb5 packet of length 1178 Received smb_krb5 packet of length 1190 gensec_gssapi: credentials were delegated GSSAPI Connection will have no cryptographic protection SMB signing enabled! [0000] 25 5F 6E 8C 9F 05 2B 3A %_n...+: Seen valid packet, so turning signing on Seen valid packet, so marking signing as 'seen valid' sign_outgoing_message: SENT SIG (seq: 2): sent SMB signature of [0000] C0 9E 69 25 12 3D 06 E3 ..i%.=.. [0000] 88 F5 D8 D4 5A E7 70 93 ....Z.p. sign_outgoing_message: SENT SIG (seq: 4): sent SMB signature of [0000] 21 3D 25 4F 03 69 ED 9F !=%O.i.. [0000] F7 21 85 44 CD EE 78 BF .!.D..x. sign_outgoing_message: SENT SIG (seq: 6): sent SMB signature of [0000] 98 70 DD 21 1A D9 84 2B .p.!...+ [0000] 64 EF 52 1A F6 1D BA D6 d.R..... sign_outgoing_message: SENT SIG (seq: 8): sent SMB signature of [0000] 0A AA CF 2A 21 A7 48 1E ...*!.H. [0000] 20 83 7A 9E D5 19 BC A6 .z..... sign_outgoing_message: SENT SIG (seq: 10): sent SMB signature of [0000] EA 5B 61 4D C6 93 AF 51 .[aM...Q [0000] 2A EC BE 91 10 55 32 9E *....U2. sign_outgoing_message: SENT SIG (seq: 12): sent SMB signature of [0000] FA DA ED 53 EF 0F 7F 92 ...S.... [0000] 6C 32 21 83 14 45 77 CC l2!..Ew. net_password_change: samr_OemChangePasswordUser2 failed: NT_STATUS_WRONG_PASSWORD return code = -1 sign_outgoing_message: SENT SIG (seq: 14): sent SMB signature of [0000] 71 40 5E 49 2A F9 9F 50 q@^I*..P Then to be sure I tried with the same password with kinit and it works: test:/usr/local/samba/private# kinit user Password for user@SMB4.TST: Warning: Your password will expire in 25 hours.
For the test, we need you to run 'net password change' with current code. We fixed the incorrect use of OemChangePassword, which fails due to the fact that we no longer store the LM hash this week, and you are clearly using code older than that. You don't need to upgrade the server, just compile a fresh 'net' tool.
Do not manage to get net in order to work : /usr/local/samba/bin/net password change user_adm Processing section "[netlogon]" Processing section "[sysvol]" added interface ip=10.6.1.1 nmask=255.255.255.192 added interface ip=192.168.99.2 nmask=255.255.255.0 added interface ip=10.6.1.1 nmask=255.255.255.192 added interface ip=192.168.99.2 nmask=255.255.255.0 Password for [administrator@SMB4.TST]: ndr_push_error(16): NULL [ref] pointer Mapped to DCERPC endpoint \pipe\samr added interface ip=10.6.1.1 nmask=255.255.255.192 added interface ip=192.168.99.2 nmask=255.255.255.0 added interface ip=10.6.1.1 nmask=255.255.255.192 added interface ip=192.168.99.2 nmask=255.255.255.0 Received smb_krb5 packet of length 254 Received smb_krb5 packet of length 1263 Received smb_krb5 packet of length 1284 Received smb_krb5 packet of length 1296 net_password_change: samr_ChangePasswordUser3 for 'SAMBA4\root' failed: NT_STATUS_WRONG_PASSWORD I tried : net password change net password change user_adm net password change SAMBA\user_adm But every time I get a problem like the one above. I also tried with w2k8 and was unable to change the password and got the message a device attached to the system does not work.
Created attachment 4336 [details] keytab for decrypting the trace
Created attachment 4337 [details] Problem while changing the password in w2k8 User has a password to expire soon with accountControl = 544
I've been unable to reproduce the bug with a recent version of samba both with a fresh and not so fresh provision. So let's says that it's resolved.