Original Message:
Sent: Mon June 02, 2025 09:57 AM
From: Simon Klinner
Subject: After update to Samba 4.18.5 password change on remote machine fails
@Ayappan: Could you find any more details concerning this strange samba behaviour? Even this thread is already 18 months old, the problem still persists and I am still interested if there are any news
------------------------------
Simon Klinner
Original Message:
Sent: Thu February 06, 2025 02:27 AM
From: Ayappan P
Subject: After update to Samba 4.18.5 password change on remote machine fails
Checking on this, recent Samba releases uses different routines for the change password. The failure happens in samba_gnutls_aead_aes_256_cbc_hmac_sha512_decrypt where the authentication data "digest" comparison fails. Looking more into it..
------------------------------
Ayappan P
Original Message:
Sent: Wed January 29, 2025 09:26 AM
From: Simon Klinner
Subject: After update to Samba 4.18.5 password change on remote machine fails
Hi Matthias,
fortunately we use Samba on AIX only for internal purposes, so this - nonetheless very annoying situation - is not vital for us.
But no, we did not find another workaround for the problem. Meanwhile we also updated to AIX 7300-03-00-2446 and the behaviour stays the same.
------------------------------
Simon Klinner
Original Message:
Sent: Fri January 24, 2025 03:52 AM
From: Matthias Schreiber
Subject: After update to Samba 4.18.5 password change on remote machine fails
Hi,
I have the same problem. I also use the 4.21.2 Samba Version from the Toolbox and I am on 7.3.3:
# oslevel -s
7300-03-00-2446
But my users want to change their passwords. It should just be a temporary solution having to change it as root...
Is your problem really existing since 2023???? No reply? Did you find a workaround beside of the password change as root user?
Thanks,
------------------------------
Matthias Schreiber
Original Message:
Sent: Mon January 20, 2025 07:43 AM
From: Simon Klinner
Subject: After update to Samba 4.18.5 password change on remote machine fails
The problem even persists in Samba 4.21.2 in AIX 7300-01-02-2320
# oslevel -s
7300-01-02-2320
$ /opt/freeware/sbin/smbd --version && /opt/freeware/bin/smbclient --version
Version 4.21.2
Version 4.21.2
$ date ; smbpasswd
Mon Jan 20 13:41:33 CET 2025
[...]
Old SMB password:
New SMB password:
Retype new SMB password:
Connecting to 127.0.0.1 at port 445
[ ...]
machine 127.0.0.1 rejected to change the passwordwith error: When trying to update a password, this return status indicates that the value provided as the current password is not correct.
------------------------------
Simon Klinner
Original Message:
Sent: Mon January 08, 2024 09:05 AM
From: Simon Klinner
Subject: After update to Samba 4.18.5 password change on remote machine fails
The problem even persists in Samba 4.18.9.
At least I could narrow it down to be caused by a change between Samba 4.16.11 and 4.18.5.
If I downgrade to 4.16.11, smbpasswd as a normal user works as expected. If I update to 4.18.5 or 4.18.9 it fails.
By turning up the log level in smb.conf, smbpasswd shows the difference between Error Messages:
*1 Old SMB password -> deliberately wrong password entered
- leads to Error Message "SPNEGO login failed: The attempted logon is invalid. This is either due to a bad username or authentication information. Could not connect to machine 127.0.0.1: NT_STATUS_LOGON_FAILURE"
$ date ; smbpasswdMon Jan 8 11:52:50 CET 2024INFO: Current debug levels: all: 10 tdb: 10[...]Old SMB password:New SMB password:Retype new SMB password:Connecting to 127.0.0.1 at port 445[...]gensec_update_done: spnego[300479d8]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[3004d118/../../auth/gensec/spnego.c:1632]: state[2] error[0 (0x0)] state[struct gensec_spnego_update_state (3004d218)] timer[0] finish[../../auth/gensec/spnego.c:2116]SPNEGO login failed: The attempted logon is invalid. This is either due to a bad username or authentication information.Could not connect to machine 127.0.0.1: NT_STATUS_LOGON_FAILURE
*2 Old SMB password -> correct password entered
- leads to Error Message "machine 127.0.0.1 rejected to change the passwordwith error: When trying to update a password, this return status indicates that the value provided as the current password is not correct."
$ date ; smbpasswdMon Jan 8 11:51:21 CET 2024INFO: Current debug levels: all: 10 tdb: 10[...]Old SMB password:New SMB password:Retype new SMB password:Connecting to 127.0.0.1 at port 445[...]GENSEC auth ntlmssp_unseal_packet: seal ntlmssp_check_packet: NTLMSSP signature OK ! Got pdu len 64, data_len 4 rpc_api_pipe_got_pdu: got frag len of 64 at offset 0: NT_STATUS_OK rpc_api_pipe: host 127.0.0.1 returned 4 bytes. samr_ChangePasswordUser4: struct samr_ChangePasswordUser4 out: struct samr_ChangePasswordUser4 result : NT_STATUS_WRONG_PASSWORD signed SMB2 message (sign_algo_id=2) signed SMB2 message (sign_algo_id=2) machine 127.0.0.1 rejected to change the passwordwith error: When trying to update a password, this return status indicates that the value provided as the current password is not correct.
One change between the two samba versions seems to be the method, which is used to change passwords.
4.16.11 uses samr_ChangePasswordUser2 while 4.18.5 uses samr_ChangePasswordUser4
------------------------------
Simon Klinner
Original Message:
Sent: Thu November 02, 2023 06:19 AM
From: Simon Klinner
Subject: After update to Samba 4.18.5 password change on remote machine fails
Hi team,
after updating Samba from 4.16.8 to 4.18.5 on AIX 7300-01-02-2320, smbpasswd (local as well as for a remote machine [ -r ] ) fails with an error message.
On other machines still using Samba 4.16.8 this works as expected.
Here an example on machine "p2900" and Samba user "eumel"
The only possibility to change the password for a user is now doing this as root [ smbpasswd eumel ] .
[p2900]::eumel:>
$ smbpasswd
Old SMB password:
New SMB password:
Retype new SMB password:
machine 127.0.0.1 rejected to change the passwordwith error: When trying to update a password, this return status indicates that the value provided as the current password is not correct.
# smbpasswd -r xx.xxxx.xxx.xxx -U eumel
Old SMB password:
New SMB password:
Retype new SMB password:
machine xx.xxx.xxx.xxx rejected to change the passwordwith error: When trying to update a password, this return status indicates that the value provided as the current password is not correct.
smbclient -L works as expected, the entered password seems correct.
# smbclient -L xx.xxx.xxx.xxx -U eumel
Password for [MYGROUP\eumel]:
Sharename Type Comment
--------- ---- -------
tmp Disk /tmp
tss Disk /tmp/stop+start
IPC$ IPC IPC Service (Samba Server Version 4.18.5)
SMB1 disabled -- no workgroup available
Verbose Attributes for test user "eumel"
# pdbedit -Lvu eumel
Unix username: eumel
NT username:
Account Flags: [U ]
User SID: S-1-5-21-3956352309-1821967982-15604192-1000
Primary Group SID: S-1-5-21-3956352309-1821967982-15604192-513
Full Name: ... TEST EUMEL ...
Home Directory: \\P2900\eumel
HomeDir Drive:
Logon Script:
Profile Path: \\P2900\eumel\profile
Domain: P2900
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: never
Kickoff time: never
Password last set: Thu, 02 Nov 2023 10:43:33 CET
Password can change: Thu, 02 Nov 2023 10:43:33 CET
Password must change: never
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
Here all the rpms installed/updated in the course of Samba update from 4.16.8 to 4.18.5:
# rpm -qa --queryformat ' %{NAME}-%-{VERSION}-%{RELEASE}; %{BUILDHOST}; %{INSTALLTIME}; %{INSTALLTIME:date} \n' | sort -rbn -t ";" -k3,3
samba-4.18.5-1; pokndd4.pok.stglabs.ibm.com; 1698390891; Fri Oct 27 09:14:51 2023
samba-winbind-clients-4.18.5-1; pokndd4.pok.stglabs.ibm.com; 1698390890; Fri Oct 27 09:14:50 2023
samba-winbind-4.18.5-1; pokndd4.pok.stglabs.ibm.com; 1698390890; Fri Oct 27 09:14:50 2023
samba-libs-4.18.5-1; pokndd4.pok.stglabs.ibm.com; 1698390890; Fri Oct 27 09:14:50 2023
samba-devel-4.18.5-1; pokndd4.pok.stglabs.ibm.com; 1698390889; Fri Oct 27 09:14:49 2023
samba-common-4.18.5-1; pokndd4.pok.stglabs.ibm.com; 1698390889; Fri Oct 27 09:14:49 2023
samba-client-4.18.5-1; pokndd4.pok.stglabs.ibm.com; 1698390887; Fri Oct 27 09:14:47 2023
python3.9-3.9.18-1; pokndd4.pok.stglabs.ibm.com; 1698390887; Fri Oct 27 09:14:47 2023
libsmbclient-4.18.5-1; pokndd4.pok.stglabs.ibm.com; 1698390887; Fri Oct 27 09:14:47 2023
gettext-0.21-2; pokndd5.pok.stglabs.ibm.com; 1698390862; Fri Oct 27 09:14:22 2023
gdbm-1.23-1; pokndd5.pok.stglabs.ibm.com; 1698390862; Fri Oct 27 09:14:22 2023
expat-2.5.0-1; pokndd5.pok.stglabs.ibm.com; 1698390862; Fri Oct 27 09:14:22 2023
libtextstyle-0.21-2; pokndd5.pok.stglabs.ibm.com; 1698390860; Fri Oct 27 09:14:20 2023
libiconv-1.17-1; pokndd5.pok.stglabs.ibm.com; 1698390859; Fri Oct 27 09:14:19 2023
glib2-2.56.1-3; pokndd5.pok.stglabs.ibm.com; 1698390859; Fri Oct 27 09:14:19 2023
libxml2-2.9.11-1; pokndd10.pok.stglabs.ibm.com; 1698390857; Fri Oct 27 09:14:17 2023
libunistring-0.9.10-1; pokndd5.pok.stglabs.ibm.com; 1698390857; Fri Oct 27 09:14:17 2023
libgomp-10-2; p8c3-lp1.aus.stglabs.ibm.com; 1698390857; Fri Oct 27 09:14:17 2023
sqlite-3.41.2-1; pokndd4.pok.stglabs.ibm.com; 1698390856; Fri Oct 27 09:14:16 2023
libgomp10-10.3.0-6; p8c3-lp1.aus.stglabs.ibm.com; 1698390856; Fri Oct 27 09:14:16 2023
libffi-3.4.2-1; pokndd4.pok.stglabs.ibm.com; 1698390856; Fri Oct 27 09:14:16 2023
ncurses-6.4-1; pokndd5.pok.stglabs.ibm.com; 1698390855; Fri Oct 27 09:14:15 2023
libstdc++10-10.3.0-6; p8c3-lp1.aus.stglabs.ibm.com; 1698390845; Fri Oct 27 09:14:05 2023
libstdc++-10-2; p8c3-lp1.aus.stglabs.ibm.com; 1698390845; Fri Oct 27 09:14:05 2023
zlib-1.2.13-1; pokndd5.pok.stglabs.ibm.com; 1698390842; Fri Oct 27 09:14:02 2023
libgcc10-10.3.0-6; p8c3-lp1.aus.stglabs.ibm.com; 1698390842; Fri Oct 27 09:14:02 2023
libgcc-10-2; p8c3-lp1.aus.stglabs.ibm.com; 1698390842; Fri Oct 27 09:14:02 2023
[ ...]
Kind regards
Simon
------------------------------
Simon Klinner
------------------------------