[Pkg-samba-maint] Bug#532859: sambaPwdLastSet became a mandatory ldapsam attribute with no warning

Fri Jun 12 09:43:08 UTC 2009

Package: samba
Version: 2:3.2.5-4lenny2

Hi,

After upgrade to lenny, my Samba users started getting endless prompts
for changing their password. The domain controller logs this message:

[2009/06/12 11:40:50,  1] auth/auth_sam.c:sam_account_ok(172)
  sam_account_ok: Account for user 'pperic' password must change!.

As it turns out, they didn't have the sambaPwdLastSet attribute in their
LDAP entries. This was easy to fix, but still a regression from Samba 3.0.
Nothing actually told me that the attribute was missing, I concluded it from
reading the code... it seems like this part of the code is the culprit:

source/auth/auth_sam.c:sam_account_ok()

        if (!(pdb_get_acct_ctrl(sampass) & ACB_PWNOEXP) && !(pdb_get_acct_ctrl(sampass) & ACB_PWNOTREQ)) {
                time_t must_change_time = pdb_get_pass_must_change_time(sampass);
                time_t last_set_time = pdb_get_pass_last_set_time(sampass);

                /* check for immediate expiry "must change at next logon" 
                 * for a user account. */
                if (((acct_ctrl & (ACB_WSTRUST|ACB_SVRTRUST)) == 0) && (last_set_time == 0)) {
                        DEBUG(1,("sam_account_ok: Account for user '%s' password must change!.\n", pdb_get_username(sampass)));
                        return NT_STATUS_PASSWORD_MUST_CHANGE;
                }

In the old version from etch, that looked like this:

        if (!(pdb_get_acct_ctrl(sampass) & ACB_PWNOEXP)) {
                time_t must_change_time = pdb_get_pass_must_change_time(sampass);
                time_t last_set_time = pdb_get_pass_last_set_time(sampass);

                /* check for immediate expiry "must change at next logon" */
                if (must_change_time == 0 && last_set_time != 0) {
                        DEBUG(1,("sam_account_ok: Account for user '%s' password must change!.\n", pdb_get_username(sampass)))
                        return NT_STATUS_PASSWORD_MUST_CHANGE;                                                                
                }

I've no idea if that's the part that needs fixing now, but it's the
place where I started searching, and from where I found that
source/passdb/pdb_ldap.c:ldapsam_get_trusteddom_pw() was reading
pass_last_set_time from the sambaPwdLastSet LDAP attribute, which
was missing in my case.

Also I don't know much about the definition of LDAP schemas, but even there
we still have this:

objectclass ( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' SUP top AUXILIARY
        DESC 'Samba 3.0 Auxilary SAM Account'
        MUST ( uid $ sambaSID )
        MAY  ( [...] $ sambaPwdLastSet $ [...] ))

New users that we create with phpLDAPadmin (also from lenny) don't
get that attribute, so when they try to connect to a Samba server,
they get NT_STATUS_PASSWORD_MUST_CHANGE.

Please fix this. TIA.

-- 
     2. That which causes joy or happiness.