Your message dated Sun, 16 Aug 2009 09:39:10 +0200
with message-id <[email protected]>
and subject line Re: [Pkg-samba-maint] Bug#532859: sambaPwdLastSet became a
mandatory ldapsam attribute with no warning
has caused the Debian Bug report #532859,
regarding sambaPwdLastSet became a mandatory ldapsam attribute with no warning
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
532859: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=532859
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: samba
Version: 2:3.2.5-4lenny2
Hi,
After upgrade to lenny, my Samba users started getting endless prompts
for changing their password. The domain controller logs this message:
[2009/06/12 11:40:50, 1] auth/auth_sam.c:sam_account_ok(172)
sam_account_ok: Account for user 'pperic' password must change!.
As it turns out, they didn't have the sambaPwdLastSet attribute in their
LDAP entries. This was easy to fix, but still a regression from Samba 3.0.
Nothing actually told me that the attribute was missing, I concluded it from
reading the code... it seems like this part of the code is the culprit:
source/auth/auth_sam.c:sam_account_ok()
if (!(pdb_get_acct_ctrl(sampass) & ACB_PWNOEXP) &&
!(pdb_get_acct_ctrl(sampass) & ACB_PWNOTREQ)) {
time_t must_change_time =
pdb_get_pass_must_change_time(sampass);
time_t last_set_time = pdb_get_pass_last_set_time(sampass);
/* check for immediate expiry "must change at next logon"
* for a user account. */
if (((acct_ctrl & (ACB_WSTRUST|ACB_SVRTRUST)) == 0) &&
(last_set_time == 0)) {
DEBUG(1,("sam_account_ok: Account for user '%s'
password must change!.\n", pdb_get_username(sampass)));
return NT_STATUS_PASSWORD_MUST_CHANGE;
}
In the old version from etch, that looked like this:
if (!(pdb_get_acct_ctrl(sampass) & ACB_PWNOEXP)) {
time_t must_change_time =
pdb_get_pass_must_change_time(sampass);
time_t last_set_time = pdb_get_pass_last_set_time(sampass);
/* check for immediate expiry "must change at next logon" */
if (must_change_time == 0 && last_set_time != 0) {
DEBUG(1,("sam_account_ok: Account for user '%s'
password must change!.\n", pdb_get_username(sampass)))
return NT_STATUS_PASSWORD_MUST_CHANGE;
}
I've no idea if that's the part that needs fixing now, but it's the
place where I started searching, and from where I found that
source/passdb/pdb_ldap.c:ldapsam_get_trusteddom_pw() was reading
pass_last_set_time from the sambaPwdLastSet LDAP attribute, which
was missing in my case.
Also I don't know much about the definition of LDAP schemas, but even there
we still have this:
objectclass ( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' SUP top AUXILIARY
DESC 'Samba 3.0 Auxilary SAM Account'
MUST ( uid $ sambaSID )
MAY ( [...] $ sambaPwdLastSet $ [...] ))
New users that we create with phpLDAPadmin (also from lenny) don't
get that attribute, so when they try to connect to a Samba server,
they get NT_STATUS_PASSWORD_MUST_CHANGE.
Please fix this. TIA.
--
2. That which causes joy or happiness.
--- End Message ---
--- Begin Message ---
> As it turns out, they didn't have the sambaPwdLastSet attribute in their
> LDAP entries. This was easy to fix, but still a regression from Samba 3.0.
> Nothing actually told me that the attribute was missing, I concluded it from
> reading the code... it seems like this part of the code is the culprit:
As it was just pointed today by Oded Naveh, this change (prevent
logging from clients when sambaPwdLastSet is not set), is an upstream
change that was documented..;and indeed was even there in etch's
version (the change appeared in 3.0.2).
I don't really understand why and how things were working for you in
etch but, indeed, impossible logins from accounts that don't have
sambaPwdLastSet is a "normal" expected behaviour à post 3.0.2 samba
versions.
signature.asc
Description: Digital signature
--- End Message ---
