Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[Samba] Change Password from Windows Native Interface

15 views
Skip to first unread message

Scott Mattan via samba

unread,
Dec 2, 2016, 1:00:02 AM12/2/16
to
Hello,

I am currently trying to get a Samba 4.5.1 environment set up for testing
and I am unable to get samba to request a new password from a windows
user. The error that I get, is in Japanese, so I don't have the exact
translation, however it is along the lines of...

Your user password must be changed before logging in for the first time.

However it does not give me the prompt to do so as shown in the below image.

https://s14.postimg.org/vd14ideqp/Samba_Login.png

My current build options for samba are:

http://pastebin.com/tEb1Pk5H

I am currently using SambaDC (although my computer is not connected to the
samba domain). My Samba configuration is below.

# Global parameters
[global]
netbios name = IP-12-0-1-194
realm = SAMBATEST.NET
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
workgroup = SAMBATEST
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes

# Shares
[netlogon]
path = /usr/local/samba/var/locks/sysvol/sambatest.net/scripts
read only = No

[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No

[testshare]
path = /usr/local/samba/var/locks/testshare
read only = No
read list = Administrator

If anyone has the user password change via native windows RPC? calls
working please help me understand where I am going wrong.

If you need any additional information please let me know.


*************************************************
マッタン・スコット 【Mattan, Scott】
サービス開発担当
マーケティング部
ニスコム株式会社
*************************************************
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Rowland Penny via samba

unread,
Dec 3, 2016, 1:00:03 PM12/3/16
to

How did you build Samba ?

The build options you linked to, appear to be from 'smbd -b'
Yet the smb.conf is from an AD DC, you also say you are trying to
change a password from a machine that is not joined to the domain.
You also seem to have built the deprecated 'ntvfs' filesystem.

More info required please.

Rowland

Marc Muehlfeld via samba

unread,
Dec 4, 2016, 6:20:02 AM12/4/16
to
Hi Scott,

Am 02.12.2016 um 06:55 schrieb Scott Mattan via samba:
> I am currently trying to get a Samba 4.5.1 environment set up for testing
> and I am unable to get samba to request a new password from a windows
> user. The error that I get, is in Japanese, so I don't have the exact
> translation, however it is along the lines of...
>
> Your user password must be changed before logging in for the first time.
>

> I am currently using SambaDC (although my computer is not connected to the
> samba domain).

As far as I know, Windows only prompts for password changes when a
domain user logs into a domain workstation. If a domain user just access
a share from a none-domain-member machine only an error is shown and
access is denied.

Am 03.12.2016 um 18:53 schrieb Rowland Penny via samba:
> You also seem to have built the deprecated 'ntvfs' filesystem.

Yes, but he's not using it:
> server services = s3fs,...

If he would, Samba 4.5 would fail to start:
https://wiki.samba.org/index.php/Updating_Samba#The_ntvfs_File_Server_Back_End_Has_Been_Disabled

Regards,
Marc

Rowland Penny via samba

unread,
Dec 4, 2016, 6:50:03 AM12/4/16
to
On Sun, 4 Dec 2016 12:11:17 +0100
Marc Muehlfeld via samba <sa...@lists.samba.org> wrote:

> Hi Scott,
>
> Am 02.12.2016 um 06:55 schrieb Scott Mattan via samba:
> > I am currently trying to get a Samba 4.5.1 environment set up for
> > testing and I am unable to get samba to request a new password from
> > a windows user. The error that I get, is in Japanese, so I don't
> > have the exact translation, however it is along the lines of...
> >
> > Your user password must be changed before logging in for the first
> > time.
> >
> > I am currently using SambaDC (although my computer is not connected
> > to the samba domain).
>
> As far as I know, Windows only prompts for password changes when a
> domain user logs into a domain workstation. If a domain user just
> access a share from a none-domain-member machine only an error is
> shown and access is denied.
>
>
>
> Am 03.12.2016 um 18:53 schrieb Rowland Penny via samba:
> > You also seem to have built the deprecated 'ntvfs' filesystem.
>
> Yes, but he's not using it:
> > server services = s3fs,...
>
> If he would, Samba 4.5 would fail to start:
> https://wiki.samba.org/index.php/Updating_Samba#The_ntvfs_File_Server_Back_End_Has_Been_Disabled
>
>

Yes, I noticed, but everything the OP posted seemed to be just wrong.
He appears to be running Samba as an AD DC, but isn't joining anything
to it, he has built the 'ntvfs' filesystem but isn't using it.

Perhaps it might help if the OP was to describe just what they are
doing and why.

Rowland

Andrew Bartlett via samba

unread,
Dec 4, 2016, 2:00:03 PM12/4/16
to
On Sun, 2016-12-04 at 11:43 +0000, Rowland Penny via samba wrote:
> On Sun, 4 Dec 2016 12:11:17 +0100
> Marc Muehlfeld via samba <sa...@lists.samba.org> wrote:
>
> >
> > Hi Scott,
> >
> > Am 02.12.2016 um 06:55 schrieb Scott Mattan via samba:
> > >
> > > I am currently trying to get a Samba 4.5.1 environment set up for
> > > testing and I am unable to get samba to request a new password
> > > from
> > > a windows user.  The error that I get, is in Japanese, so I don't
> > > have the exact translation, however it is along the lines of...
> > >
> > > Your user password must be changed before logging in for the
> > > first
> > > time.
> > >
> > > I am currently using SambaDC (although my computer is not
> > > connected
> > > to the samba domain).
> >
> > As far as I know, Windows only prompts for password changes when a
> > domain user logs into a domain workstation. If a domain user just
> > access a share from a none-domain-member machine only an error is
> > shown and access is denied.

This is correct.  There isn't a way to forward on the password changes,
nor clearly know which DC the file server was using, so no password
change prompt can be offered.

> >
> >
> > Am 03.12.2016 um 18:53 schrieb Rowland Penny via samba:
> > >
> > > You also seem to have built the deprecated 'ntvfs' filesystem.
> >
> > Yes, but he's not using it:
> > >
> > > server services = s3fs,...
> >
> > If he would, Samba 4.5 would fail to start:
> > https://wiki.samba.org/index.php/Updating_Samba#The_ntvfs_File_Serv
> > er_Back_End_Has_Been_Disabled
> >
> >
>
> Yes, I noticed, but everything the OP posted seemed to be just wrong.
> He appears to be running Samba as an AD DC, but isn't joining
> anything
> to it, he has built the 'ntvfs' filesystem but isn't using it.

That's just because he built with --enable-selftest.  That turns on the
ntvfs file server as the selftest relies on it.

> Perhaps it might help if the OP was to describe just what they are
> doing and why.

Always a good thing to start with.

Andrew Bartlett
-- 
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba

Rowland Penny via samba

unread,
Dec 4, 2016, 2:20:03 PM12/4/16
to

Again I knew this, but why does selftest rely on something that isn't
used anymore, just what does get tested ? and how does using ntvfs
help ?

Rowland

Rowland Penny via samba

unread,
Dec 5, 2016, 3:20:03 AM12/5/16
to
On Mon, 05 Dec 2016 21:07:48 +1300
Andrew Bartlett <abar...@samba.org> wrote:


>
> It is a lot of work to change the situation, even more so without loss
> of important tests.  A number of tests, particularly for spoolss but
> also of the cifs proxy (which in turn tests kerberos delegation), use
> the ntvfs file server.

OK, but how can you be sure that something you are testing against
ntvfs actually works with s3fs ? 

Andrew Bartlett via samba

unread,
Dec 5, 2016, 3:20:03 AM12/5/16
to

It is a lot of work to change the situation, even more so without loss


of important tests.  A number of tests, particularly for spoolss but
also of the cifs proxy (which in turn tests kerberos delegation), use
the ntvfs file server. 

The next step is to have it build with ntvfs only during the main make,
but re-link without it for the install.  That is still non-trivial
however.

Sorry,

Andrew Bartlett

--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba

Andrew Bartlett via samba

unread,
Dec 5, 2016, 3:40:02 AM12/5/16
to
On Mon, 2016-12-05 at 08:12 +0000, Rowland Penny via samba wrote:
> On Mon, 05 Dec 2016 21:07:48 +1300
> Andrew Bartlett <abar...@samba.org> wrote:
>
>
> >
> >
> > It is a lot of work to change the situation, even more so without
> > loss
> > of important tests.  A number of tests, particularly for spoolss
> > but
> > also of the cifs proxy (which in turn tests kerberos delegation),
> > use
> > the ntvfs file server.
>
> OK, but how can you be sure that something you are testing against
> ntvfs actually works with s3fs ? 

The spoolss tests are testing the (very odd) rpc call-back
functionality that requires the spoolss server to make a reverse call
to the client to deliver the notifications.  The ntvfs file server
helps provide one of the layers involved, to allow the smbtorture
process to listen as an smb server and then provide a specail RPC
interface.

As we don't otherwise implement the client side of this protocol, the
means used to implement it are not important, we are testing the server
against a instrumented mock implementation.

This isn't the only reason that part of the codebase is used, but I
hope I can clarify at least this one for you.

Thanks,

Andrew Bartlett

--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba

Rowland Penny via samba

unread,
Dec 5, 2016, 4:00:02 AM12/5/16
to
On Mon, 05 Dec 2016 21:30:20 +1300
Andrew Bartlett <abar...@samba.org> wrote:

Sorry, but no, it doesn't clarify anything. What you didn't say is
whether anything will actually make the rpc call in the real world. If
nothing ever will, then there is no point in testing it. What I am
trying to get at, using ntvfs in testing, then moving to s3fs in
production, is a like test running an engine fitted with a
carburettor, then fitting fuel injection in production without further
testing, just how are you supposed to be sure it will work correctly ?

I thought the whole idea behind testing, is to actually test what will
be used, or am I wrong ?

Rowland

Andrew Bartlett via samba

unread,
Dec 5, 2016, 10:40:03 AM12/5/16
to

Don't worry, the smbd file server is also extensively tested. 

Andrew Bartlett

--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba

Rowland Penny via samba

unread,
Dec 5, 2016, 12:00:03 PM12/5/16
to
On Tue, 06 Dec 2016 04:31:34 +1300
Andrew Bartlett <abar...@samba.org> wrote:

That is not the point, if you are testing 'something' against ntvfs &
s3fs, then surely the ntvfs test is no longer required. If you are
testing 'something' against ntvfs but not testing it against s3fs, how
do you know it works with s3fs ?

Surely testing using a component that isn't used in production isn't a
good idea, wouldn't it make more sense to alter all the tests to use
s3fs instead of ntvfs ?

Rowland

0 new messages