[SRU] Samba NT_STATUS_PASSWORD_MUST_CHANGE bug

Bug #259110 reported by John Baker
10
Affects Status Importance Assigned to Milestone
samba (Ubuntu)
Fix Released
Undecided
Chuck Short
Hardy
Fix Released
Undecided
Unassigned
Intrepid
Fix Released
Undecided
Chuck Short

Bug Description

Binary package hint: samba

Using Ubuntu Hardy L.T.S this error comes up when connecting to Samba with security = user. My setup checks the password with LDAP, our schema contains no password expiry information and we don't have this trouble with other versions of Samba.

This note is in the changes section of the release notes for Samba 3.0.31 "BUG 5555: Don't return NT_STATUS_PASSWORD_MUST_CHANGE error on machine account logon.

It appears that this bug came up in samba version 3.0.26a the release that made it into Hardy Heron.

Revision history for this message
Chuck Short (zulcss) wrote :

Hi,

Thanks for the bug report. This looks like a good candidate for an SRU.

Impact: LDAP schemas for samba that contains no password expiry information gets a NT_STATUS_PASSWORD_MUST_CHANGE error on machine account logon. From upstream:

The net_rpc_join.c code uses a level 24 to set the password when we
are joining a Samba PDC. Inside smbd we don't update the password last set
field from zero on level 24, only level 25. Thus the password last set is left
at zero on a join and subsequent auth attempts on the machine account fail with
a NT_STATUS_PASSWORD_MUST_CHANGE error.

I've reproduced this on 3.0.x but I think the same code is in 3.2 and this is a
blocker bug for 3.2.0.

https://bugzilla.samba.org/show_bug.cgi?id=5555

How to reproduce:

See above.

I have attached the patch which fixes this issue. If you have any questions please feel free to ask.

Regards
chuck

Revision history for this message
Chuck Short (zulcss) wrote :
Revision history for this message
Steve Langasek (vorlon) wrote :

samba 3.0.28a-1ubuntu4.6 has been uploaded to the queue, but there is already a -1ubuntu4.5 in hardy-proposed awaiting SRU verification. Can someone please complete the SRU verification for the already pending bugs 180493 and 242325, so that we aren't stacking these too deep?

Changed in samba:
status: New → In Progress
Revision history for this message
Chuck Short (zulcss) wrote :

They have been verified already.

chuck

Revision history for this message
Martin Pitt (pitti) wrote :

Accepted into -proposed, please test and give feedback here. Please see https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Revision history for this message
Martin Pitt (pitti) wrote :

Please fix in intrepid ASAP.

Changed in samba:
assignee: nobody → zul
status: New → Fix Committed
assignee: zul → zulcss
Revision history for this message
Martin Pitt (pitti) wrote :

Any chance to test this soon, and get the patch uploaded to intrepid, too? Intrepid is close to release, and there is another samba update waiting in the queue already (bug 236830).

Revision history for this message
Chuck Short (zulcss) wrote :

Martin,

Intrepid already has this patch because it was backported from the samba 3.2 version.

Regards
chuck

Changed in samba:
status: In Progress → Fix Released
Revision history for this message
Julien Desfossez (julien+launchpad) wrote :

Tested the proposed samba package on hardy x86 and everything is working fine : no side effect caused by the patch and machine authentication is now working fine even if there is no sambaPwdLastSet attribute in LDAP.

Thanks,

Julien

Revision history for this message
Martin Pitt (pitti) wrote :

Copied to hardy-updates.

Changed in samba:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.