Debian Bug report logs - #532859
sambaPwdLastSet became a mandatory ldapsam attribute with no warning

version graph

Package: samba; Maintainer for samba is Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>; Source for samba is src:samba.

Reported by: Josip Rodin <joy@debbugs.entuzijast.net>

Date: Fri, 12 Jun 2009 10:21:04 UTC

Severity: normal

Found in version samba/2:3.2.5-4lenny2

Done: Christian Perrier <bubulle@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>:
Bug#532859; Package samba. (Fri, 12 Jun 2009 10:21:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Josip Rodin <joy@debbugs.entuzijast.net>:
New Bug report received and forwarded. Copy sent to Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>. (Fri, 12 Jun 2009 10:21:06 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Josip Rodin <joy@debbugs.entuzijast.net>
To: submit@bugs.debian.org
Subject: sambaPwdLastSet became a mandatory ldapsam attribute with no warning
Date: Fri, 12 Jun 2009 11:43:08 +0200
Package: samba
Version: 2:3.2.5-4lenny2

Hi,

After upgrade to lenny, my Samba users started getting endless prompts
for changing their password. The domain controller logs this message:

[2009/06/12 11:40:50,  1] auth/auth_sam.c:sam_account_ok(172)
  sam_account_ok: Account for user 'pperic' password must change!.

As it turns out, they didn't have the sambaPwdLastSet attribute in their
LDAP entries. This was easy to fix, but still a regression from Samba 3.0.
Nothing actually told me that the attribute was missing, I concluded it from
reading the code... it seems like this part of the code is the culprit:

source/auth/auth_sam.c:sam_account_ok()

        if (!(pdb_get_acct_ctrl(sampass) & ACB_PWNOEXP) && !(pdb_get_acct_ctrl(sampass) & ACB_PWNOTREQ)) {
                time_t must_change_time = pdb_get_pass_must_change_time(sampass);
                time_t last_set_time = pdb_get_pass_last_set_time(sampass);

                /* check for immediate expiry "must change at next logon" 
                 * for a user account. */
                if (((acct_ctrl & (ACB_WSTRUST|ACB_SVRTRUST)) == 0) && (last_set_time == 0)) {
                        DEBUG(1,("sam_account_ok: Account for user '%s' password must change!.\n", pdb_get_username(sampass)));
                        return NT_STATUS_PASSWORD_MUST_CHANGE;
                }

In the old version from etch, that looked like this:

        if (!(pdb_get_acct_ctrl(sampass) & ACB_PWNOEXP)) {
                time_t must_change_time = pdb_get_pass_must_change_time(sampass);
                time_t last_set_time = pdb_get_pass_last_set_time(sampass);
         
                /* check for immediate expiry "must change at next logon" */
                if (must_change_time == 0 && last_set_time != 0) {
                        DEBUG(1,("sam_account_ok: Account for user '%s' password must change!.\n", pdb_get_username(sampass)))
                        return NT_STATUS_PASSWORD_MUST_CHANGE;                                                                
                }

I've no idea if that's the part that needs fixing now, but it's the
place where I started searching, and from where I found that
source/passdb/pdb_ldap.c:ldapsam_get_trusteddom_pw() was reading
pass_last_set_time from the sambaPwdLastSet LDAP attribute, which
was missing in my case.

Also I don't know much about the definition of LDAP schemas, but even there
we still have this:

objectclass ( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' SUP top AUXILIARY
        DESC 'Samba 3.0 Auxilary SAM Account'
        MUST ( uid $ sambaSID )
        MAY  ( [...] $ sambaPwdLastSet $ [...] ))

New users that we create with phpLDAPadmin (also from lenny) don't
get that attribute, so when they try to connect to a Samba server,
they get NT_STATUS_PASSWORD_MUST_CHANGE.

Please fix this. TIA.

-- 
     2. That which causes joy or happiness.




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>:
Bug#532859; Package samba. (Sun, 16 Aug 2009 06:24:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Oded Naveh <skilinux@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>. (Sun, 16 Aug 2009 06:24:03 GMT) Full text and rfc822 format available.

Message #10 received at 532859@bugs.debian.org (full text, mbox):

From: Oded Naveh <skilinux@gmail.com>
To: 532859@bugs.debian.org
Subject: Warning: sambaPwdLastSet became a mandatory ldapsam attribute
Date: Sat, 15 Aug 2009 23:03:44 +0300
Hi Josip

Thank you for this bug report, it has been great help in figuring out the 
problem that prevents users from logging in from Samba clients.

However once pointed towards sambaPwdLastSet I found the folowing warning in 
the Release Notes for Samba 3.0.2a  and all subsequent 3.0.x releases:

******************* Attention! Achtung! Kree! *********************

Beginning with Samba 3.0.2, passwords for accounts with a last 
change time (LCT-XXX in smbpasswd, sambaPwdLastSet attribute in
ldapsam, etc...) of zero (0) will be regarded as uninitialized 
strings.  This will cause authentication to fail for such
accounts.  If you have valid passwords that meet this criteria, 
you must update the last change time to a non-zero value.  If you 
do not, then  'pdbedit --force-initialized-passwords' will disable 
these accounts and reset the password hashes to a string of X's.

******************* Attention! Achtung! Kree! *********************

This was also included in Debian's package: samba (3.0.24-6etch10), as 
WHATSNEW.txt.

ref: http://samba.org/samba/history/samba-3.0.2a.html




Reply sent to Christian Perrier <bubulle@debian.org>:
You have taken responsibility. (Sun, 16 Aug 2009 08:09:27 GMT) Full text and rfc822 format available.

Notification sent to Josip Rodin <joy@debbugs.entuzijast.net>:
Bug acknowledged by developer. (Sun, 16 Aug 2009 08:09:27 GMT) Full text and rfc822 format available.

Message #15 received at 532859-done@bugs.debian.org (full text, mbox):

From: Christian Perrier <bubulle@debian.org>
To: 532859-done@bugs.debian.org
Cc: Oded Naveh <skilinux@gmail.com>
Subject: Re: [Pkg-samba-maint] Bug#532859: sambaPwdLastSet became a mandatory ldapsam attribute with no warning
Date: Sun, 16 Aug 2009 09:39:10 +0200
[Message part 1 (text/plain, inline)]
> As it turns out, they didn't have the sambaPwdLastSet attribute in their
> LDAP entries. This was easy to fix, but still a regression from Samba 3.0.
> Nothing actually told me that the attribute was missing, I concluded it from
> reading the code... it seems like this part of the code is the culprit:


As it was just pointed today by Oded Naveh, this change (prevent
logging from clients when sambaPwdLastSet is not set), is an upstream
change that was documented..;and indeed was even there in etch's
version (the change appeared in 3.0.2).


I don't really understand why and how things were working for you in
etch but, indeed, impossible logins from accounts that don't have
sambaPwdLastSet is a "normal" expected behaviour à post 3.0.2 samba
versions.


[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>:
Bug#532859; Package samba. (Sun, 16 Aug 2009 09:30:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Josip Rodin <joy@debbugs.entuzijast.net>:
Extra info received and forwarded to list. Copy sent to Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>. (Sun, 16 Aug 2009 09:30:06 GMT) Full text and rfc822 format available.

Message #20 received at 532859@bugs.debian.org (full text, mbox):

From: Josip Rodin <joy@debbugs.entuzijast.net>
To: 532859@bugs.debian.org
Subject: Re: Bug#532859 closed by Christian Perrier <bubulle@debian.org> (Re: [Pkg-samba-maint] Bug#532859: sambaPwdLastSet became a mandatory ldapsam attribute with no warning)
Date: Sun, 16 Aug 2009 11:27:21 +0200
On Sun, Aug 16, 2009 at 08:09:27AM +0000, Debian Bug Tracking System wrote:
> > As it turns out, they didn't have the sambaPwdLastSet attribute in their
> > LDAP entries. This was easy to fix, but still a regression from Samba 3.0.
> > Nothing actually told me that the attribute was missing, I concluded it from
> > reading the code... it seems like this part of the code is the culprit:
> 
> 
> As it was just pointed today by Oded Naveh, this change (prevent
> logging from clients when sambaPwdLastSet is not set), is an upstream
> change that was documented..;and indeed was even there in etch's
> version (the change appeared in 3.0.2).

This entry in WHATSNEW.txt needs to go into NEWS.Debian in order for us who
upgrade the package to see it, surely? Nevertheless, see below...

> I don't really understand why and how things were working for you in
> etch but, indeed, impossible logins from accounts that don't have
> sambaPwdLastSet is a "normal" expected behaviour ?? post 3.0.2 samba
> versions.

>                 if (((acct_ctrl & (ACB_WSTRUST|ACB_SVRTRUST)) == 0) && (last_set_time == 0)) {
> In the old version from etch, that looked like this:
>                 if (must_change_time == 0 && last_set_time != 0) {

Well you can see from these that the logic had changed. Their handling of
the last_set_time clearly differs, one checks == 0 and the other != 0.
And I've told you earlier what the actual behaviour in the wild was - the
etch version didn't forbid logins, the lenny version did.

I read the text pasted from WHATSNEW.txt and it says "sambaPwdLastSet
attribute in ldapsam" with the value of "zero (0)". In my case, there was
*no* attribute and no value, not a zero (0) value. If these two situations
are treated as equal, then this needs to be pointed out to the unwitting
user because it certainly isn't clear now. If someone says "zero" and then
clarifies with "0" in parenthesis, then a reasonable reading is that it is
an inclusive definition, not a vague definition that may also implicitly
include 'null', 'false', 'missing', etc.

All in all this is just another bug in my series of ldapsam complaints. The
code expects a certain strict data set in LDAP, yet it does very few if any
pre-emptive consistency checks. Coupled with changing requirements like we
see in this case, that's a recipe for failure when met with random user data.

-- 
     2. That which causes joy or happiness.




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>:
Bug#532859; Package samba. (Mon, 17 Aug 2009 09:27:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Christian Perrier <bubulle@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>. (Mon, 17 Aug 2009 09:27:04 GMT) Full text and rfc822 format available.

Message #25 received at 532859@bugs.debian.org (full text, mbox):

From: Christian Perrier <bubulle@debian.org>
To: Josip Rodin <joy@debbugs.entuzijast.net>, 532859@bugs.debian.org
Subject: Re: [Pkg-samba-maint] Bug#532859: closed by Christian Perrier <bubulle@debian.org> (Re: Bug#532859: sambaPwdLastSet became a mandatory ldapsam attribute with no warning)
Date: Mon, 17 Aug 2009 09:30:13 +0200
[Message part 1 (text/plain, inline)]
Quoting Josip Rodin (joy@debbugs.entuzijast.net):

> > As it was just pointed today by Oded Naveh, this change (prevent
> > logging from clients when sambaPwdLastSet is not set), is an upstream
> > change that was documented..;and indeed was even there in etch's
> > version (the change appeared in 3.0.2).
> 
> This entry in WHATSNEW.txt needs to go into NEWS.Debian in order for us who
> upgrade the package to see it, surely? Nevertheless, see below...

Why this one and not the gazillion other changes introduced by
upstream? Imagine what we would then have to document when squeeze is
released (with a 3.2.5->3.4.whatever bump).

Samba's upstream often does behavioural changes similar to this one. I
don't think that the Debian package users would benefit from us
documenting each and every upstream change in NEWS.Debian. 

We did this a few times...but for much more disruptive changes than
this one which, imho, belongs to the "normal" life of the software.

> All in all this is just another bug in my series of ldapsam complaints. The
> code expects a certain strict data set in LDAP, yet it does very few if any
> pre-emptive consistency checks. Coupled with changing requirements like we
> see in this case, that's a recipe for failure when met with random user data.


Maybe..:-)

This should really be dealt with upstream directly. I'm not sure about
the value we, Debian maintainers, have in such cases. Acting as a
proxy with upstream does not really add benefit to your bug report,
just risking to not reporting exactly what you want to report.



[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>:
Bug#532859; Package samba. (Mon, 17 Aug 2009 23:15:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>. (Mon, 17 Aug 2009 23:15:03 GMT) Full text and rfc822 format available.

Message #30 received at 532859@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: Christian Perrier <bubulle@debian.org>, 532859@bugs.debian.org
Cc: Josip Rodin <joy@debbugs.entuzijast.net>
Subject: Re: Bug#532859: [Pkg-samba-maint] Bug#532859: closed by Christian Perrier <bubulle@debian.org> (Re: Bug#532859: sambaPwdLastSet became a mandatory ldapsam attribute with no warning)
Date: Mon, 17 Aug 2009 16:11:02 -0700
On Mon, Aug 17, 2009 at 09:30:13AM +0200, Christian Perrier wrote:
> Why this one and not the gazillion other changes introduced by
> upstream? Imagine what we would then have to document when squeeze is
> released (with a 3.2.5->3.4.whatever bump).

> Samba's upstream often does behavioural changes similar to this one. I
> don't think that the Debian package users would benefit from us
> documenting each and every upstream change in NEWS.Debian. 

I think this is a change that it would have been a good idea to document in
NEWS.Debian, or to automatically provide a transition for on upgrade, *if*
the issue had been noticed sooner.

So long after the change was made, I don't think it makes sense to go back
and add it to NEWS.Debian now.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>:
Bug#532859; Package samba. (Tue, 18 Aug 2009 10:57:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Josip Rodin <joy@debbugs.entuzijast.net>:
Extra info received and forwarded to list. Copy sent to Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>. (Tue, 18 Aug 2009 10:57:03 GMT) Full text and rfc822 format available.

Message #35 received at 532859@bugs.debian.org (full text, mbox):

From: Josip Rodin <joy@debbugs.entuzijast.net>
To: Steve Langasek <vorlon@debian.org>
Cc: Christian Perrier <bubulle@debian.org>, 532859@bugs.debian.org
Subject: Re: Bug#532859: [Pkg-samba-maint] Bug#532859: closed by Christian Perrier <bubulle@debian.org> (Re: Bug#532859: sambaPwdLastSet became a mandatory ldapsam attribute with no warning)
Date: Tue, 18 Aug 2009 12:50:50 +0200
On Mon, Aug 17, 2009 at 04:11:02PM -0700, Steve Langasek wrote:
> On Mon, Aug 17, 2009 at 09:30:13AM +0200, Christian Perrier wrote:
> > Why this one and not the gazillion other changes introduced by
> > upstream? Imagine what we would then have to document when squeeze is
> > released (with a 3.2.5->3.4.whatever bump).
> 
> > Samba's upstream often does behavioural changes similar to this one. I
> > don't think that the Debian package users would benefit from us
> > documenting each and every upstream change in NEWS.Debian. 
> 
> I think this is a change that it would have been a good idea to document in
> NEWS.Debian, or to automatically provide a transition for on upgrade, *if*
> the issue had been noticed sooner.
> 
> So long after the change was made, I don't think it makes sense to go back
> and add it to NEWS.Debian now.

People who have not done the etch->lenny upgrade yet would appreciate it.
There will be those for many months to come - and their hesitation is not
entirely unwarranted judging by this example. Right now if they stumble upon
this problem at least they get exact instructions from the BTS, but before
this bug report they were on their own, and that was four months into the
life of Samba 3.2 packages in 'stable'.

Samba-run domains are usually production server software so it stands to
reason that they won't get all that much actual upgrade testing during our
testing cycle - it takes a fair bit of work to set up in the first place
(not just on Debian machines but on the remainder of the domain as well),
I'm guessing that few people want to spend time upgrading their DCs to
testing versions and continuously risk upgrade problems. Obviously this
strategy is self-defeating if most people apply it, but still...

Anyway, this problem could be detected in the code if there was a way for
the ldapsam code to deliver the message (either to the admin or to the
generic auth code) that the LDAP backend was faulty, i.e. that it doesn't
have the mandatory sambaPwdLastSet field (at all) even though the auth code
is searching for it.

The solution would be pretty much the same as the solution for the SNAFU
SIDs in #474108 and for the sambaGroupMapping handler mentioned in #520309 -
when faced with a potential problem with the LDAP database, the code should
simply say something about it in the log; ignoring it can easily lead to
problems.

Alternatively, or in addition, the package upgrade scripts could check for
usage of ldapsam in smb.conf and if so show a debconf note saying "check
the documentation again to make sure your old LDAP backend won't break your
domain".

-- 
     2. That which causes joy or happiness.




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 16 Sep 2009 07:37:43 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 16:59:51 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.