Hello,
I got a very strange issue using samba. From a Windows 7 client that joined the domain, i want to change a user password. Here is what i am doing exactly :
Loging into the domain account, with username and password.
Pressing ctrl + alt + del
Clic on Change password menu
Enter old password and 2 times new password.
Then the result depend. If i proccess that on a virtual machine where windows 7 is installed, that work perfectly, the GUI say that the password is successfully updated and the password is updated for real.
But if i try on my real windows 7 on my laptop, or on my friend laptop (both windows 7), that won't work and display that error message :
The system has detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you.
Additionnals informations : My friend tested it on samba : 3.5.5(compiled) 4.1.17(apt-get) and a 4.5.5 (compiled and personnal jail managment). I tedted by myself on a fresh install of 4.5.5 (compiled).
The amazing thing is that with the same user i can change the password from the virtual machine but from the real machine.
The virtual machine is not up to date.
I'm looking for a solution since yesterday, i can't find anything then i need your help.
Thank you in advance ! =)
EDIT :
I solved it at least, the problem was from Microsoft Windows update.
There are 3 recent security updates that cause the issue :
KB3175024
KB3172605
KB3167679
Just uninstall them as a temporary workaround.
It seems the issue appear only on NT4 PDC, then upgrading to AD DC would fix it.
Microsoft propose also a workaround solution but i didnt got it : https://support.microsoft.com/en-us/kb/3167679
Hmmmmm........I'm not a Debian expert but I know that Samba on Debian (like most other O/S's) uses it's own password management and doesn't use the Unix/Linux password (eg, /etc/passwd or /etc/shadow).
So having installed Samba you need to set up Samba credentials for the Samba user (which must also pre-exist as a Linux user). Once Samba is installed, the Samba password for a user can be set automatically by the sysadmin resetting the Linux password for a user even if you set the password to what it is already. The password is then hashed within the Samba management system.
If you don't get answers on this forum I would suggest you (or I) get an admin or moderator to move this thread to the specialist Debian forum.
Having said that, this forum "UNIX for Beginners Questions and Answers" isn't listing the moderators at the bottom of the web page (which forums usually do). However, if need be, we can post to the mod comms forum to get somebody with the necessary clout to move your thread.
I'm pretty sure it's not about Debian, the issue appear from a samba that i compile myself.
I think you didnt really got the way i want to change the user password.
When you hit "Ctrl + Alt + Del" from windows client, you can select the option "Change password".
When i'm doing that from my virtual machine, that work 100%.
When i'm doing that from my real machine, that don't work at all.
Are you trying to change the password for the same user from both routes? Or for different users?
The point I am making is this.
You have a Unix system with a user on it with his Unix login password.
You then install Samba.
You then configure this user to use Samba.
Samba will NOT use the Unix login password for this user so at this point the user still cannot user Samba. (**)
The Samba password (although normally set the same as the Unix password) needs to be set.
However, at this point the Unix O/S knows that this user is also a Samba user so if the sysadmin resets that user's password, the system sets the user's Samba password at the same time too.
At this point the user can access using Samba.
So if the user tries to change password via Samba at this point (**), it will produce a security error.
Samba passwords are usually (depending on the exact Samba implementation) hashed in a 'smbpasswd' or 'smbpassword' file on the Unix system somewhere. You can look in there and see whether hashed passwords exist and for which users.
Yes, I know that this doesn't feel like a Debian problem but just perhaps it is. I cannot think of why one Samba client would behave differently to another from a security point of view.