Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] Samba4 Users can not change their password using ctrl + alt + del
1,032 views
Skip to first unread message
Nguyen Trung Hieu
Mar 17, 2014, 3:10:02 PM3/17/14
to
Dear Samba team
In my lab: Windows XP/7/8 joined Samba4.1 AD DC OK!
I don't change any password policy (all are default!)
But when users logged on sucessfully, they *pressed ctrl + alt + del* in
order to change their passwords (new password included over 8 characters,
complexity...), but they failed
I also read this link:
https://lists.samba.org/archive/samba/2010-September/158171.html
Could you please help me?
Thanks so much!
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
In my lab: Windows XP/7/8 joined Samba4.1 AD DC OK!
I don't change any password policy (all are default!)
But when users logged on sucessfully, they *pressed ctrl + alt + del* in
order to change their passwords (new password included over 8 characters,
complexity...), but they failed
I also read this link:
https://lists.samba.org/archive/samba/2010-September/158171.html
Could you please help me?
Thanks so much!
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Andrew Bartlett
Mar 17, 2014, 11:00:02 PM3/17/14
to
On Sun, 2014-03-16 at 08:54 +0700, Nguyen Trung Hieu wrote:
> Dear Samba team
>
> In my lab: Windows XP/7/8 joined Samba4.1 AD DC OK!
>
> I don't change any password policy (all are default!)
>
> But when users logged on sucessfully, they *pressed ctrl + alt + del* in
> order to change their passwords (new password included over 8 characters,
> complexity...), but they failed
>
> I also read this link:
>
> https://lists.samba.org/archive/samba/2010-September/158171.html
>
> Could you please help me?
What errors are shown on the client and in the server logs?
> Dear Samba team
>
> In my lab: Windows XP/7/8 joined Samba4.1 AD DC OK!
>
> I don't change any password policy (all are default!)
>
> But when users logged on sucessfully, they *pressed ctrl + alt + del* in
> order to change their passwords (new password included over 8 characters,
> complexity...), but they failed
>
> I also read this link:
>
> https://lists.samba.org/archive/samba/2010-September/158171.html
>
> Could you please help me?
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Günter Kukkukk
Mar 18, 2014, 12:20:01 AM3/18/14
to
Am 18.03.2014 03:52, schrieb Andrew Bartlett:
> On Sun, 2014-03-16 at 08:54 +0700, Nguyen Trung Hieu wrote:
>> Dear Samba team
>>
>> In my lab: Windows XP/7/8 joined Samba4.1 AD DC OK!
>>
>> I don't change any password policy (all are default!)
>>
>> But when users logged on sucessfully, they *pressed ctrl + alt + del* in
>> order to change their passwords (new password included over 8 characters,
>> complexity...), but they failed
>>
>> I also read this link:
>>
>> https://lists.samba.org/archive/samba/2010-September/158171.html
>>
>> Could you please help me?
>
> What errors are shown on the client and in the server logs?
>
> Andrew Bartlett
>
>
when i test that here with a win7 ultimate box, i get on the samba side:
> On Sun, 2014-03-16 at 08:54 +0700, Nguyen Trung Hieu wrote:
>> Dear Samba team
>>
>> In my lab: Windows XP/7/8 joined Samba4.1 AD DC OK!
>>
>> I don't change any password policy (all are default!)
>>
>> But when users logged on sucessfully, they *pressed ctrl + alt + del* in
>> order to change their passwords (new password included over 8 characters,
>> complexity...), but they failed
>>
>> I also read this link:
>>
>> https://lists.samba.org/archive/samba/2010-September/158171.html
>>
>> Could you please help me?
>
> What errors are shown on the client and in the server logs?
>
> Andrew Bartlett
>
>
kpasswdd: Password change rejected, password changes may not be permitted on this account, or the minimum password age may not have elapsed.
in kpasswdd.c -> kpasswd_make_pwchange_reply()
not all SAM_PWD_* enums are tested, so the switch/default case is taken.
Sorry, have no time to dig deeper with this one.
Cheers, Günter
--
Michał Półrolniczak
Mar 18, 2014, 2:40:02 AM3/18/14
to
we having same problem but in our case, client can change password 24h
after admin set password for that account (and didnt check "user need to
change password), even if password policy is set to 0 as minimum days
for password.
after admin set password for that account (and didnt check "user need to
change password), even if password policy is set to 0 as minimum days
for password.
vikas
Mar 24, 2014, 4:50:03 AM3/24/14
to
Hi team !!
samba=4.1.5 AD DC
os=centos 6.3 64bit
Client= Windows 7 ultimate 32bit
User cannot change password using clrl + alt + del after login when they
try to change they get *this <http://tinyurl.com/o683lr3>* unable to
update the password....*
samba-tool domain passwordsettings show
Password complexity: on
Store plaintext passwords: off
Password history length: 24
Minimum password length: 5
Minimum password age (days): 30
Maximum password age (days): 42
smb.conf
# Global parameters
[global]
workgroup = IK
realm = IK.LOCAL
netbios name = DC
server role = active directory domain controller
dns forwarder = 192.168.1.1
idmap_ldb:use rfc2307 = yes
log file = /var/log/samba/log.%u
log level = 3
printing = bsd
printcap name = /dev/null
syslog = 0
# include = /usr/local/samba/etc/smb.conf.client-%I
........truncated................
*
also i have waited 24hrs as mention in previous thread
there are no log activity when user is trying to change password
user can change password when we use "use can change the password at
next logon " using any kind of password like lee@321 lee@123 which
doesn't throw any complexity error...
regards
vikas
samba=4.1.5 AD DC
os=centos 6.3 64bit
Client= Windows 7 ultimate 32bit
User cannot change password using clrl + alt + del after login when they
try to change they get *this <http://tinyurl.com/o683lr3>* unable to
update the password....*
samba-tool domain passwordsettings show
Password complexity: on
Store plaintext passwords: off
Password history length: 24
Minimum password length: 5
Minimum password age (days): 30
Maximum password age (days): 42
smb.conf
# Global parameters
[global]
workgroup = IK
realm = IK.LOCAL
netbios name = DC
server role = active directory domain controller
dns forwarder = 192.168.1.1
idmap_ldb:use rfc2307 = yes
log file = /var/log/samba/log.%u
log level = 3
printing = bsd
printcap name = /dev/null
syslog = 0
# include = /usr/local/samba/etc/smb.conf.client-%I
........truncated................
*
also i have waited 24hrs as mention in previous thread
there are no log activity when user is trying to change password
user can change password when we use "use can change the password at
next logon " using any kind of password like lee@321 lee@123 which
doesn't throw any complexity error...
regards
vikas
Michał Półrolniczak
Mar 24, 2014, 9:30:02 AM3/24/14
to
Did you try to change password after full 24h?
In our case,even if the GPO was set to minimum age of password to 0,
some user had to wait 24h till first password change
In our case,even if the GPO was set to minimum age of password to 0,
some user had to wait 24h till first password change
Michał Półrolniczak
Mar 24, 2014, 10:00:01 AM3/24/14
to
we are creating users without checked of you must change password on
next logon.
Then, when reseting/setting new password we dont check need to change
password.
Then some user can change they password others need to wait 24h.
next logon.
Then, when reseting/setting new password we dont check need to change
password.
Then some user can change they password others need to wait 24h.
vikas
Mar 24, 2014, 10:00:01 AM3/24/14
to
hi..
just to avoid any confusion i created a user with name demo1 and kept
"uses must change password at next login" and then i login with demo
which prompted to change password which got successfully.
after 50 hrs then i checked but still not able to change
can you just tell me what steps you did to create user ? like did you
kept check on "uses must change password at next login" and what is your
password settings ? so that i can resemble the same.
regards.
vikas
just to avoid any confusion i created a user with name demo1 and kept
"uses must change password at next login" and then i login with demo
which prompted to change password which got successfully.
after 50 hrs then i checked but still not able to change
can you just tell me what steps you did to create user ? like did you
kept check on "uses must change password at next login" and what is your
password settings ? so that i can resemble the same.
regards.
vikas
Nguyen Trung Hieu
Mar 24, 2014, 12:10:03 PM3/24/14
to
Dear all
Sorry for late, my log /var/log/messages, /var/log/samba/log.samba show
nothing
I don't know how to debug, I 'm sorry!
I also test some cases other
1. Using RSAT on Win7, Administrator reset password (and also checked: User
must change password at next logon) user u01
On other PC
test case 01:
u01 log off (1st) and logon --> u01 still can using old password --> not OK
u01 log off again (2nd) --> u01 can not using old password, must be using
new reseted password
test case 02:
u01 run command gpupdate /force and log off (1st), u01 still can using old
password --> not OK
---------------------------------------------
in test case 01 + 02:
restart PC (1st), u01 must be using new reseted password --> OK
Could you please help me troubleshoot this problem?
Thanks so much!
Sorry for late, my log /var/log/messages, /var/log/samba/log.samba show
nothing
I don't know how to debug, I 'm sorry!
I also test some cases other
1. Using RSAT on Win7, Administrator reset password (and also checked: User
must change password at next logon) user u01
On other PC
test case 01:
u01 log off (1st) and logon --> u01 still can using old password --> not OK
u01 log off again (2nd) --> u01 can not using old password, must be using
new reseted password
test case 02:
u01 run command gpupdate /force and log off (1st), u01 still can using old
password --> not OK
---------------------------------------------
in test case 01 + 02:
restart PC (1st), u01 must be using new reseted password --> OK
Could you please help me troubleshoot this problem?
Thanks so much!
Nguyen Trung Hieu
Mar 24, 2014, 12:10:04 PM3/24/14
to
The same problem is disable an account
By the way, I know RHEL 7 also debug samba4 for their product at this link:
https://bugzilla.redhat.com/buglist.cgi?component=samba&product=Red%20Hat%20Enterprise%20Linux%207
Is there collaborate between samba team and red hat team for bug fixed?
I think it will help samba better
Thanks all
By the way, I know RHEL 7 also debug samba4 for their product at this link:
https://bugzilla.redhat.com/buglist.cgi?component=samba&product=Red%20Hat%20Enterprise%20Linux%207
Is there collaborate between samba team and red hat team for bug fixed?
I think it will help samba better
Thanks all
vikas
Apr 1, 2014, 12:30:03 PM4/1/14
to
Hi team,
For now it seem issue is SOLVED
Samba 4.1.5
Centos 6.3 64bit
Compile using Samba How/To wiki
on windows clients can change password only if the settings are like below
# samba-tool domain passwordsettings show
Password complexity: off
change password easily*
Password complexity: off
can cannot change password even using toughest password*
it does not matter all can change password if min-age set to 0.
thanks @michal
For now it seem issue is SOLVED
Samba 4.1.5
Centos 6.3 64bit
Compile using Samba How/To wiki
on windows clients can change password only if the settings are like below
# samba-tool domain passwordsettings show
Password complexity: off
Store plaintext passwords: off
Password history length: 24
Minimum password length: 5
* Minimum password age (days): 0 # if min age is set to 0 user can
Password history length: 24
Minimum password length: 5
change password easily*
Maximum password age (days): 42
# samba-tool domain passwordsettings show
Password complexity: off
Store plaintext passwords: off
Password history length: 24
Minimum password length: 5
* Minimum password age (days): 30 # if min age is set to 30 user
Password history length: 24
Minimum password length: 5
can cannot change password even using toughest password*
Maximum password age (days): 42
Also like mention before, whether uses is created just now or 24 hrs ago
it does not matter all can change password if min-age set to 0.
thanks @michal
0 new messages