Password change question/1: smbpasswd does not propagate passwords?!

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Password change question/1: smbpasswd does not propagate passwords?!

Samba - General mailing list

Doing some test i've done, as root, in one DC:

 root@vdcpp1:~# smbpasswd gaio
 New SMB password:
 Retype new SMB password:
 root@vdcpp1:~# pdbedit -v gaio
 Unix username:        gaio
 NT username:          
 Account Flags:        [U          ]
 User SID:             S-1-5-21-160080369-3601385002-3131615632-1105
 Primary Group SID:    S-1-5-21-160080369-3601385002-3131615632-513
 Full Name:            Marco Gaiarin
 Home Directory:      
 HomeDir Drive:        (null)
 Logon Script:        
 Profile Path:        
 Domain:              
 Account desc:         Marco Gaiarin
 Workstations:        
 Munged dial:          
 Logon time:           0
 Logoff time:          never
 Kickoff time:         gio, 14 set 30828 04:48:05 CEST
 Password last set:    lun, 30 ott 2017 15:59:07 CET
 Password can change:  lun, 30 ott 2017 15:59:07 CET
 Password must change: never
 Last bad password   : 0
 Bad password count  : 0
 Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

so password seems changed. Then, i've done, on the other DC:

 root@vdcsv1:~# pdbedit -v gaio
 Unix username:        gaio
 NT username:          
 Account Flags:        [U          ]
 User SID:             S-1-5-21-160080369-3601385002-3131615632-1105
 Primary Group SID:    S-1-5-21-160080369-3601385002-3131615632-513
 Full Name:            Marco Gaiarin
 Home Directory:      
 HomeDir Drive:        (null)
 Logon Script:        
 Profile Path:        
 Domain:              
 Account desc:         Marco Gaiarin
 Workstations:        
 Munged dial:          
 Logon time:           lun, 30 ott 2017 12:49:12 CET
 Logoff time:          0
 Kickoff time:         gio, 14 set 30828 04:48:05 CEST
 Password last set:    ven, 20 ott 2017 16:52:13 CEST
 Password can change:  ven, 20 ott 2017 16:52:13 CEST
 Password must change: never
 Last bad password   : 0
 Bad password count  : 0
 Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

So, password seems get not propagated.


I've done, on the first DC, 'su - gaio' and then:
 LNFFVG\gaio@vdcpp1:/$ samba-tool user password
 Password for [LNFFVG\gaio]:
 New Password:
 Retype Password:
 Changed password OK
 LNFFVG\gaio@vdcpp1:/$ logout
 root@vdcpp1:~# pdbedit -v gaio
 Unix username:        gaio
 NT username:          
 Account Flags:        [U          ]
 User SID:             S-1-5-21-160080369-3601385002-3131615632-1105
 Primary Group SID:    S-1-5-21-160080369-3601385002-3131615632-513
 Full Name:            Marco Gaiarin
 Home Directory:      
 HomeDir Drive:        (null)
 Logon Script:        
 Profile Path:        
 Domain:              
 Account desc:         Marco Gaiarin
 Workstations:        
 Munged dial:          
 Logon time:           0
 Logoff time:          never
 Kickoff time:         gio, 14 set 30828 04:48:05 CEST
 Password last set:    lun, 30 ott 2017 16:09:21 CET
 Password can change:  lun, 30 ott 2017 16:09:21 CET
 Password must change: never
 Last bad password   : 0
 Bad password count  : 0
 Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

and in this way password get correctly propagated to second DC:

 root@vdcsv1:~# pdbedit -v gaio
 Unix username:        gaio
 NT username:          
 Account Flags:        [U          ]
 User SID:             S-1-5-21-160080369-3601385002-3131615632-1105
 Primary Group SID:    S-1-5-21-160080369-3601385002-3131615632-513
 Full Name:            Marco Gaiarin
 Home Directory:      
 HomeDir Drive:        (null)
 Logon Script:        
 Profile Path:        
 Domain:              
 Account desc:         Marco Gaiarin
 Workstations:        
 Munged dial:          
 Logon time:           lun, 30 ott 2017 12:49:12 CET
 Logoff time:          0
 Kickoff time:         gio, 14 set 30828 04:48:05 CEST
 Password last set:    lun, 30 ott 2017 16:09:57 CET
 Password can change:  lun, 30 ott 2017 16:09:57 CET
 Password must change: never
 Last bad password   : 0
 Bad password count  : 0
 Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF


Note that still there's some differences (eg, 'Logon time' and 'Logoff
time').


So, the question: how replica works?! I'm confused...


Thanks.

--
dott. Marco Gaiarin        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

                Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
        (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Password change question/1: smbpasswd does not propagate passwords?!

Samba - General mailing list

I reply to myself...

> So, the question: how replica works?! I'm confused...

To add ''strangeness'', i've done another password change, on DC1, and
verified that password change time does not propagate to DC2.
After that i've done a ssh logon on DC2 (with that user, of course) and
i was able to use the new password, and password change time get
''syncronized''.


After that, i'm now adding a bunch of users on DC2, and they not appear
on DC1.


It is normal? How can i debug this, or force a sync?


Thanks.

--
dott. Marco Gaiarin        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

                Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
        (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Password change question/1: smbpasswd does not propagate passwords?!

Samba - General mailing list
On Tue, 31 Oct 2017 17:59:40 +0100
Marco Gaiarin via samba <[hidden email]> wrote:

>
> I reply to myself...
>
> > So, the question: how replica works?! I'm confused...
>
> To add ''strangeness'', i've done another password change, on DC1, and
> verified that password change time does not propagate to DC2.

Are you sure that it isn't propogating ?
Have you checked the attribute 'pwdLastSet' in the users object in AD
on all DCs ?


ldbsearch -H /usr/local/samba/private/sam.ldb -b
"DC=samdom,DC=example,DC=com" -s sub
"(&(objectClass=user)(sAMAccountName=username))" pwdLastSet | grep
'[p]wdLastSet' | awk '{print $NF}'

Run the above command on all DCs, it should produce a number and the
number should be the same on all DCs

Replace:
/usr/local/samba/private/sam.ldb with the path to your sam.ldb
DC=samdom,DC=example,DC=com with your NC
username with a users name from your AD domain

You will also need ldb-tools installed.

> After that i've done a ssh logon on DC2 (with that user, of course)
> and i was able to use the new password, and password change time get
> ''syncronized''.
>
>
> After that, i'm now adding a bunch of users on DC2, and they not
> appear on DC1.

This is worrying, they should replicate to all DCs.

>
>
> It is normal? How can i debug this, or force a sync?

Definitely not normal, how are you creating users ?

Have a look at 'samba-tool ldapcmp --help' to check the AD databases.

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Password change question/1: smbpasswd does not propagate passwords?!

Samba - General mailing list
Mandi! Rowland Penny via samba
  In chel di` si favelave...

> Have a look at 'samba-tool ldapcmp --help' to check the AD databases.

Ok, i'm writing on the blackboard:

        Do you have opened the firewall in BOTH way, gaio?
        Do you have opened the firewall in BOTH way, gaio?
        Do you have opened the firewall in BOTH way, gaio?
        ...

Sorry. And again thanks. ;-)

--
dott. Marco Gaiarin        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

                Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
        (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Password change question/1: smbpasswd does not propagate passwords?!

Samba - General mailing list
On Tue, 31 Oct 2017 19:19:26 +0100
Marco Gaiarin via samba <[hidden email]> wrote:

> Mandi! Rowland Penny via samba
>   In chel di` si favelave...
>
> > Have a look at 'samba-tool ldapcmp --help' to check the AD
> > databases.
>
> Ok, i'm writing on the blackboard:
>
> Do you have opened the firewall in BOTH way, gaio?
> Do you have opened the firewall in BOTH way, gaio?
> Do you have opened the firewall in BOTH way, gaio?
> ...
>
> Sorry. And again thanks. ;-)
>

As I keep saying, you learn by your mistakes, only problem is, I keep
making the same mistakes ;-)

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba