ntlm_auth - can login in AD with both old and new passwords
I have problem with AD and ntlm_auth. I use the following command, to query the AD server for checking the user existence:
ntlm_auth --use-cached-creds --username=SOME_USER --password=SOME_PASS --domain=SOME_DOMAIN
But the thing is, when I change the password of the user in AD, both of the following queries work:
ntlm_auth --use-cached-creds --username=SOME_USER --password=OLD_PASS --domain=SOME_DOMAIN
ntlm_auth --use-cached-creds --username=SOME_USER --password=NEW_PASS --domain=SOME_DOMAIN
If I delete the .tdb cache files in /var/cache/samba/, I can login with only the NEW_PASS. How can I solve this? Is there any way to make the server not to cache passwords? Or any flag for ntlm_auth, which I can use for not taking the old_password into consideration?
I'm using CentOS5 and ntlm_auth 3.3.8.
Thanks in advance.
Sounds like you are running into an "feature" introduced in Server 2003 SP1 and still present in at least Server 2008 R2. By default, Domain Controllers now allow the most recent previous password to be used for NTLM authentication for one hour. This behavior can be modified by creating a DWORD value of OldPasswordAllowedPeriod at HKLM\SYSTEM\CurrentControlSet\Control\Lsa. The value is in minutes, a value of 0 will disable it, and no restart is required. Note also that:
- This only applies to NTLM, not Kerberos authentication.
- This change must be made on each Domain Controller.
- The user's password policy must have password history enabled or this feature is effectively disabled.
See Windows Server 2003 Service Pack 1 modifies NTLM network authentication behavior for details.
EDIT: Giving credit where it's due, I originally stumbled on this article at http://timstechnoblog.blogspot.com/2010/02/old-password-still-valid-for-hour.html and remembered this question was unanswered.