Bug 6271 - Samba4 fails to store update password when userAccountControl PASSWD_NOTREQD set
Samba4 fails to store update password when userAccountControl PASSWD_NOTREQD set
Status: RESOLVED FIXED
Product: Samba 4.0
Classification: Unclassified
Component: Other
unspecified
Other Linux
: P3 major
: ---
Assigned To: Andrew Bartlett
Andrew Bartlett
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2009-04-18 06:05 UTC by Matthieu Patou
Modified: 2009-06-24 12:42 UTC (History)
0 users

See Also:


Attachments
keytab for decrypting the trace (57 bytes, application/octet-stream)
2009-06-20 16:09 UTC, Matthieu Patou
no flags Details
Problem while changing the password in w2k8 (9.95 KB, application/octet-stream)
2009-06-20 16:11 UTC, Matthieu Patou
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Matthieu Patou 2009-04-18 06:05:16 UTC
My samba: Version 4.0.0alpha7
I have users with userAccountControl with PASSWD_NOTREQD (as this flag is set by default for new user due to the value of 546 in templates.ldb) and some othere without (because created before the change of the default value).
A few days ago, when users had their password expired, we face a problem with users whose account had the flag PASSWD_NOTREQD set. It turns out that windows show them a window saying that their password is expired so they change it and have the confirmation that the password is changed.
But under the hood, the password wasn't: doing a kinit myuser on the server worked only worked with old password.

Trying to set the password through ADCU wasn't successful also, but trying kpasswd worked.

After unseting PASSWD_NOTREQD flags, all the accounts were able to change their password, so my guess is that the way samba4 handle now this flag is not the good one.
Comment 1 Andrew Bartlett 2009-05-25 00:37:28 UTC
We (tridge and I) have been unable to reproduce this with the current code, and a WinXP client changing it's password after expiry.  

Is is at all possible you could get me a network trace of the failure?  Also, see if you get the failure using current (we just fixed some bugs) 'net password change' from Samba4 (this will give as a simpler way to reproduce).

Perhaps something changed in the current code (we corrected some aspects of the PASSWD_NOTREQD behaviour)?

Thanks,
Comment 2 Matthieu Patou 2009-05-27 07:54:03 UTC
I've made a more precise analysis. I definitly still have the problem.
But it turns out that the password had to be still valid (ie. expire within 1/2 days).
Because if the password is expired then no problem occurs.

I made a tcpdump capture hope it will be more explicit (maybe you'll need the keytab).

I tried with net password but I got this :
/usr/local/samba/bin/net password change user 
Processing section "[netlogon]"                                                         
Processing section "[sysvol]"                                                           
pm_process() returned Yes                                                               
adding hidden service IPC$                                                              
adding hidden service ADMIN$                                                            
GENSEC backend 'sasl-DIGEST-MD5' registered                                             
GENSEC backend 'krb5' registered                                                        
GENSEC backend 'fake_gssapi_krb5' registered                                            
GENSEC backend 'schannel' registered                                                    
GENSEC backend 'spnego' registered                                                      
GENSEC backend 'gssapi_spnego' registered                                               
GENSEC backend 'gssapi_krb5' registered                                                 
GENSEC backend 'gssapi_krb5_sasl' registered                                            
GENSEC backend 'ntlmssp' registered
added interface ip=10.6.1.1 nmask=255.255.255.192
added interface ip=192.168.99.2 nmask=255.255.255.0
added interface ip=10.6.1.1 nmask=255.255.255.192
added interface ip=192.168.99.2 nmask=255.255.255.0
Password for [user@SMB4.TST]:
ndr_push_error(16): NULL [ref] pointer
Mapped to DCERPC endpoint \pipe\samr
added interface ip=10.6.1.1 nmask=255.255.255.192
added interface ip=192.168.99.2 nmask=255.255.255.0
added interface ip=10.6.1.1 nmask=255.255.255.192
added interface ip=192.168.99.2 nmask=255.255.255.0
Shutdown SMB signing
BSRSPYL SMB signing enabled
Shutdown SMB signing
Starting GENSEC mechanism spnego
Server claims it's principal name is TEST$@SMB4.TST
Starting GENSEC submechanism gssapi_krb5
Received smb_krb5 packet of length 225
Received smb_krb5 packet of length 1176
Received smb_krb5 packet of length 1178
Received smb_krb5 packet of length 1190
gensec_gssapi: credentials were delegated
GSSAPI Connection will have no cryptographic protection
SMB signing enabled!
[0000] 25 5F 6E 8C 9F 05 2B 3A                            %_n...+:
Seen valid packet, so turning signing on
Seen valid packet, so marking signing as 'seen valid'
sign_outgoing_message: SENT SIG (seq: 2): sent SMB signature of
[0000] C0 9E 69 25 12 3D 06 E3                            ..i%.=..
[0000] 88 F5 D8 D4 5A E7 70 93                            ....Z.p.
sign_outgoing_message: SENT SIG (seq: 4): sent SMB signature of
[0000] 21 3D 25 4F 03 69 ED 9F                            !=%O.i..
[0000] F7 21 85 44 CD EE 78 BF                            .!.D..x.
sign_outgoing_message: SENT SIG (seq: 6): sent SMB signature of
[0000] 98 70 DD 21 1A D9 84 2B                            .p.!...+
[0000] 64 EF 52 1A F6 1D BA D6                            d.R.....
sign_outgoing_message: SENT SIG (seq: 8): sent SMB signature of
[0000] 0A AA CF 2A 21 A7 48 1E                            ...*!.H.
[0000] 20 83 7A 9E D5 19 BC A6                             .z.....
sign_outgoing_message: SENT SIG (seq: 10): sent SMB signature of
[0000] EA 5B 61 4D C6 93 AF 51                            .[aM...Q
[0000] 2A EC BE 91 10 55 32 9E                            *....U2.
sign_outgoing_message: SENT SIG (seq: 12): sent SMB signature of
[0000] FA DA ED 53 EF 0F 7F 92                            ...S....
[0000] 6C 32 21 83 14 45 77 CC                            l2!..Ew.
net_password_change: samr_OemChangePasswordUser2 failed: NT_STATUS_WRONG_PASSWORD
return code = -1
sign_outgoing_message: SENT SIG (seq: 14): sent SMB signature of
[0000] 71 40 5E 49 2A F9 9F 50                            q@^I*..P

Then to be sure I tried with the same password with kinit and it works:

test:/usr/local/samba/private# kinit user
Password for user@SMB4.TST:
Warning: Your password will expire in 25 hours.
Comment 3 Andrew Bartlett 2009-05-28 03:59:36 UTC
For the test, we need you to run 'net password change' with current code.  


We fixed the incorrect use of OemChangePassword, which fails due to the fact that we no longer store the LM hash this week, and you are clearly using code older than that. 

You don't need to upgrade the server, just compile a fresh 'net' tool.  
Comment 4 Matthieu Patou 2009-06-20 15:57:27 UTC
Do not manage to get net in order to work :

/usr/local/samba/bin/net password change user_adm
Processing section "[netlogon]"
Processing section "[sysvol]"
added interface ip=10.6.1.1 nmask=255.255.255.192
added interface ip=192.168.99.2 nmask=255.255.255.0
added interface ip=10.6.1.1 nmask=255.255.255.192
added interface ip=192.168.99.2 nmask=255.255.255.0
Password for [administrator@SMB4.TST]:
ndr_push_error(16): NULL [ref] pointer
Mapped to DCERPC endpoint \pipe\samr
added interface ip=10.6.1.1 nmask=255.255.255.192
added interface ip=192.168.99.2 nmask=255.255.255.0
added interface ip=10.6.1.1 nmask=255.255.255.192
added interface ip=192.168.99.2 nmask=255.255.255.0
Received smb_krb5 packet of length 254
Received smb_krb5 packet of length 1263
Received smb_krb5 packet of length 1284
Received smb_krb5 packet of length 1296
net_password_change: samr_ChangePasswordUser3 for 'SAMBA4\root' failed: NT_STATUS_WRONG_PASSWORD

I tried :
net password change
net password change user_adm
net password change SAMBA\user_adm

But every time I get a problem like the one above.
I also tried with w2k8 and was unable to change the password and got the message a device attached to the system does not work. 
Comment 5 Matthieu Patou 2009-06-20 16:09:28 UTC
Created attachment 4336 [details]
keytab for decrypting the trace
Comment 6 Matthieu Patou 2009-06-20 16:11:13 UTC
Created attachment 4337 [details]
Problem while changing the password in w2k8 

User has a password to expire soon with accountControl = 544
Comment 7 Matthieu Patou 2009-06-24 12:42:07 UTC
I've been unable to reproduce the bug with a recent version of samba both with a fresh and not so fresh provision.

So let's says that it's resolved.