[Pkg-samba-maint] Bug#425083: Password expire bug not fixed in samba 3.0.25a-1

Ralph Passgang ralph at debianbase.de
Mon May 28 21:01:13 UTC 2007 

Am Montag, 28. Mai 2007 19:52:42 schrieben Sie:
> Quoting Ralph Passgang (ralph at debianbase.de):
> > Hello,
> >
> > I am sorry, but the bug I reported is not fixed in the latest upstream
> > version 3.0.25a.
> >
> > I still have the same problem, that passwords are only valid for about 5
> > to 6 minutes after setting them. This makes samba more or less useless in
> > my setup.
> >
> > pdbedit still shows something like this for all domain users:
> >
> > Password last set:    Mon, 28 May 2007 02:10:58 CEST
> > Password can change:  Mon, 28 May 2007 02:10:58 CEST
> > Password must change: Mon, 28 May 2007 02:16:54 CEST
> >
> > The "must change" date is always the "last set" date + 5-6 minutes, which
> > makes the account only useable for a very short time.
> >
> > If I downgrade to 3.0.24 again, then the password expire is always the
> > "last set" date + about 30 years. Suprisingly I doesn't even need to set
> > the password again after downgrading. The "must change" time changes just
> > by switching the samba version and without that the user sets a new
> > password. I guess something is wrong in samba's logic to calculate the
> > password expiration date.
>
> Are you in position to try what Jeremy suggests in upstream bug
> #4630 ?
>
> "This patch doesn't look like it's a fix for the issue. In order to fix
> this I need an ethereal/wireshark trace of a logon being denied as well as
> a debug level 10 trace from the smbd denying the user logon.
>
> I can't make progress on fixing this bug without these from someone who is
> suffering from the problem."

I might be able to provide a tcpdump, but I don't understand why a tcpdump is 
really needed, because the reason why samba denys the login is quite obvious. 
it's because the password must change time is in the past. Samba is acting 
correct on this. The problem can definitly not be solved by looking at the 
network traffic. The mistake is in setting / calculating the "must change 
password" time and not in the actual loging attempt.

> Also maybe provide what Jim McDonough suggested ;
>
> "Please do include a trace.  I'm curious as to why you would get 64-bit
> time_t on a 32-bit system.  Can you include a 'net sam policy show "max
> password age"', or on the older samba a 'pdbedit -C "max password age"'
> (the latter should work on the newer one as well) ?"

I think two bug-reports got mixed up... I never had the "64-bit time_t on 
32-bit system" problem. But trying to lookup the policy for the password 
expiration time helped a lot.

Btw.: The "net sam policy ..." as well as the "pdbedit -C ..." syntax is wrong 
and not working.

But after reading the man page a bit, I found this:

First with version 3.0.24:
# pdbedit -P "maximum password age"
account policy "maximum password age" description: Maximum password age, in 
seconds (default: -1 => never expire passwords)
account policy "maximum password age" value is: 356

The password expire time is 356 seconds? But on 3.0.24 and before my user has 
a expire time of 30 years and I never had any problems with this. So upstream 
seems to have a none working password expire validation check for e very long 
time. My debian sid box with samba is running for at least 4 years!

Now to 3.0.25a:

pdbedit -P "maximum password age"
account policy "maximum password age" description: Maximum password age, in 
seconds (default: -1 => never expire passwords)
account policy "maximum password age" value is: 356

Still 356 seconds, but this time the user really has just password that is 
valid for 5:56 minutes (356 seconds). pdbedlit -L -n -v <username> shows 
exactly this!

Knowing that 3.0.24 and before seems to ignore the max password age and simply 
using 30 years for all users, and 3.0.25 for the first time really uses this 
value I changed that with pdbedit:

pdbedit -P "maximum password age" -C -1
account policy "maximum password age" description: Maximum password age, in 
seconds (default: -1 => never expire passwords)
account policy "maximum password age" value was: 356
account policy "maximum password age" value is now: 4294967295

Now pdbedit -L -n -v <username> show this:
...
Logon time:           0
Logoff time:          never
Kickoff time:         never
Password last set:    Mon, 28 May 2007 02:10:58 CEST
Password can change:  Mon, 28 May 2007 02:10:58 CEST
Password must change: never
...

I am not sure where (my) default of 356 seconds came from, but when it's the 
default on every debian machine with samba, then you probably should change 
that to "never" / -1 for samba >= 3.0.25.

Ralph

More information about the Pkg-samba-maint mailing list