Samba Notes

posted in Linux Administration
in section Various
published at 2018-04-21
created at 2014-02-07
written by Ivan Stana

pdbedit

Pdbedit is a tool which works with several backends - TDB, smbpasswd, probably LDAP. But we can dump raw database with tdbdump (default in Samba 3).

list users

pdbedit -L

list users with passwords

The best way is to use smbpasswd output. man 5 smbpasswd. The first should be XXXXX...XX - it is LM (LanMan) password. The next segment with hexa characters is NT password.

pdbedit -L -w

logs for a user with expired password!

I've already fixed warnings. Samba profile doesn't show expired password. It uses PAM for checking with system account, although it can be turned off.

root@n2orava:/network/profiles# pdbedit -L -v xbachanm
Unknown parameter encountered: "client ntlm auth"
Ignoring unknown parameter "client ntlm auth"
WARNING: The "idmap uid" option is deprecated
WARNING: The "idmap gid" option is deprecated
Forcing Primary Group to 'Domain Users' for xbachanm
Unix username:        xbachanm
NT username:          
Account Flags:        [U          ]
User SID:             S-1-5-21-2378965587-1336110492-1595441937-1594
Primary Group SID:    S-1-5-21-2378965587-1336110492-1595441937-513
Full Name:            John Doe
Home Directory:       \\orava\xbachanm
HomeDir Drive:        
Logon Script:         
Profile Path:         \\orava\xbachanm\profile
Domain:               NORAVA
Account desc:         
Workstations:         
Munged dial:          
Logon time:           0
Logoff time:          St, 06 feb 2036 16:06:39 CET
Kickoff time:         St, 06 feb 2036 16:06:39 CET
Password last set:    Ut, 30 sep 2014 01:13:45 CEST
Password can change:  Ut, 30 sep 2014 01:13:45 CEST
Password must change: never
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

NT_STATUS_WRONG_PASSWORD. Thanks for misleading! At least there is PAM in logs. I have turned on insane debugging level.

[2014/09/30 14:02:55.655582,  3] auth/auth.c:219(check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user [ZSSDK]\[xbachanm]@[ORAVA] with the new password interface
[2014/09/30 14:02:55.655636,  3] auth/auth.c:222(check_ntlm_password)
  check_ntlm_password:  mapped user is: [ZSSDK]\[xbachanm]@[ORAVA]
[2014/09/30 14:02:55.657337,  3] passdb/lookup_sid.c:1754(get_primary_group_sid)
  Forcing Primary Group to 'Domain Users' for xbachanm
[2014/09/30 14:02:55.657972,  3] auth/auth.c:268(check_ntlm_password)
  check_ntlm_password: sam authentication for user [xbachanm] succeeded
[2014/09/30 14:02:55.660059,  2] auth/pampass.c:577(smb_pam_account)
  smb_pam_account: PAM: There was an authentication error for user xbachanm
[2014/09/30 14:02:55.660114,  2] auth/pampass.c:89(smb_pam_error_handler)
  smb_pam_error_handler: PAM: Account Check Failed : Zlyhanie overenia
[2014/09/30 14:02:55.660164,  0] auth/pampass.c:797(smb_pam_accountcheck)
  smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User xbachanm!
[2014/09/30 14:02:55.660446,  3] auth/auth.c:299(check_ntlm_password)
  check_ntlm_password:  PAM Account for user [xbachanm] FAILED with error NT_STATUS_WRONG_PASSWORD
[2014/09/30 14:02:55.660518,  3] smbd/error.c:81(error_packet_set)
  error packet at smbd/sesssetup.c(124) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
[2014/09/30 14:02:55.660856,  3] smbd/server_exit.c:181(exit_server_common)
  Server exit (failed to receive smb request)

syslog, daemon.log, samba/log.orava

1368:  check_ntlm_password:  Checking password for unmapped user [ZSSDK]\[xbachanm]@[ORAVA] with the new password interface
1370:  check_ntlm_password:  mapped user is: [ZSSDK]\[xbachanm]@[ORAVA]
1372:  Forcing Primary Group to 'Domain Users' for xbachanm
1374:  check_ntlm_password: sam authentication for user [xbachanm] succeeded
1376:  smb_pam_account: PAM: There was an authentication error for user xbachanm
1380:  smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User xbachanm!
1382:  check_ntlm_password:  PAM Account for user [xbachanm] FAILED with error NT_STATUS_WRONG_PASSWORD

See auth.log:

36792:Sep 30 13:55:13 n2orava smbd[21355]: pam_unix(samba:account): account xbachanm has expired (failed to change password)
36793:Sep 30 13:55:16 n2orava smbd[21359]: pam_unix(samba:account): account xbachanm has expired (failed to change password)
36816:Sep 30 13:59:01 n2orava smbd[21926]: pam_unix(samba:account): account xbachanm has expired (failed to change password)
36848:Sep 30 14:02:55 n2orava smbd[22218]: pam_unix(samba:account): account xbachanm has expired (failed to change password)

9999 days were too little. It is only cca 23 years.

bad:
root@n2orava:/var/log# getent shadow xbachanm
xbachanm:$6$foobar:1:0:9999:30:0::0

good:
root@n2orava:/var/log# getent shadow rainbowunicorn
rainbowunicorn:$6$foobar:15225:0:99999:7:0::0
VISITORS 24H: 0 48H: 0 1W: 0 1M: 0 Since 2016/01/13: 3347 || PAGEVIEWS 24H: 0 48H: 0 1W:0 1M: 0 Since 2016/01/13: 50430 || BOT ACTIVITY:???