samba-tool user setexpiry is broken in 4.7

Jeff Sadowski jeff.sadowski at gmail.com
Wed Aug 9 14:48:34 UTC 2017


In windows AD you can set different group policies where you change
the maxPwdAge for users. I'm curious if the same steps work in samba AD.
Let me dig up my experiment.

On Wed, Aug 2, 2017 at 1:12 AM, Andreas Schneider via samba-technical <
samba-technical at lists.samba.org> wrote:

> On Wednesday, 2 August 2017 08:56:11 CEST Andrew Bartlett via
> samba-technical
> wrote:
> > On Wed, 2017-08-02 at 08:27 +0200, Andreas Schneider via samba-
> >
> > technical wrote:
> > > On Wednesday, 2 August 2017 07:46:40 CEST Andreas Schneider via samba-
> > >
> > > technical wrote:
> > > > On Tuesday, 1 August 2017 19:14:02 CEST Rowland Penny wrote:
> > > > > On Tue, 01 Aug 2017 18:07:52 +0200
> > > > > Andreas Schneider via samba-technical
> > > > > <samba-technical at lists.samba.org>
> > > > >
> > > > > wrote:
> > > > > > Hi,
> > > > > >
> > > > > > The command 'samba-tool user setexpiry' doesn't work!
> > > > > >
> > > > > > Reproducer:
> > > > > >
> > > > > > make testenv SELFTEST_TESTENV=ad_member
> > > > > >
> > > > > > $ bin/samba-tool user setexpiry alice --days=4 --URL=ldap://
> > > > > > localdc.samba.example.com --username=administrator
> > > > > > --password=locDCpass1 Expiry for user 'alice' set to 4 days.
> > > > > >
> > > > > > $ bin/wbinfo --name-to-sid alice
> > > > > > S-1-5-21-1321629873-2603511802-1948877269-1105 SID_USER (1)
> > > > > >
> > > > > > $ bin/rpcclient ncacn_np:localdc -UAdministrator%locDCpass1 -c
> > > > > > "queryuser 1105"
> > > > > > User Name   :   alice
> > > > > > ...
> > > > > > Password last set Time   :      Tue, 01 Aug 2017 17:50:08 CEST
> > > > > > Password must change Time:      Tue, 12 Sep 2017 17:50:08 CEST
> > > > > >
> > > > > >
> > > > > > The must change time is 41 days away and not 4 days as set!
> > > > > >
> > > > > >
> > > > > > Either the test python/samba/tests/samba_tool/user.py does not
> work
> > > > > > as it should, or there is a bug in the rpc server.
> > > > >
> > > > > Hi Andreas, I think you are getting a bit mixed up here, account
> > > > > expiry
> > > > > has nothing to do with the password.
> > > >
> > > > Damn, how do you change the password expiration?
> > >
> > > Check the attached patch, that irritated me.
> >
> > I'm not sure that is correct.  I think the tool is just horribly
> > confused, mixing the different expiry in the same command.
> >
> > That option appears to control UF_DONT_EXPIRE_PASSWD, which is per-
> > user.
> >
> > Sorry,
> >
> > Andrew Bartlett
>
> Then I think it should be move to setpassword.
>
>
>         Andreas
>
>
> --
> Andreas Schneider                   GPG-ID: CC014E3D
> Samba Team                             asn at samba.org
> www.samba.org
>
>


More information about the samba-technical mailing list