[Samba] Samba + LDAP + Password Expiry = Almost working...

Kristyan Osborne kris at longhill.brighton-hove.sch.uk
Tue Sep 16 22:55:36 GMT 2003

Try looking at the parameter passwd chat = 
The man pages should help you out here.
Kristyan Osborne - IT Technician
Longhill High School
01273 391672

	-----Original Message----- 
	From: Collins, Kevin [mailto:KCollins at nesbittengineering.com] 
	Sent: Tue 16/09/2003 17:53 
	To: 'samba at lists.samba.org' 
	Subject: [Samba] Samba + LDAP + Password Expiry = Almost working...

	I've got a Samba 2.2.7a domain with an LDAP backend.  It's been working for
	nearly 3 months now without much bother.
	By the way: Great work and thanks for all of the effort!
	I have been missing one minor thing from the setup since I moved away from
	NT 4: Password Expiration.  In the past I have posted questions about this
	on the list and I've gotten two answers:  "Wait for 3." or "Write your own
	script to do it for you."  Well, I sorta went the second route.
	By "sorta" I mean that I modified a pre-existing script to make it do what I
	wanted it to.  What I did was this...I started with IDEALX's howto and
	scripts to get things going.  I had Samba configured to use their
	"smbldap-passwd.pl" script to modify passwords.  That worked, I could change
	any Windows account password from Windows or the command line and indeed all
	three passwords for that user are changed (Unix, LM and NT passwords).
	I later discovered the LDAP entry "pwdMustChange" while looking at a user
	account one day.  When I set this to a date inside of 14 days from today,
	Windows begins to barks about "Password will expire in X days" - Great I
	thought I found my solution.  But the default password change script
	wouldn't modify this value.
	So I modified the script to where it would.  This is where my confusion
	starts.  When I run my modified script from the command line, I get the
	password changes I expect and I get the pwdMustChange date changes I expect
	too.  "Cool!" I thought - things are coming together.  But when I turn to my
	Windows machine (Windows 2000 or XP) and change my password all I get is the
	password changes and the value for "pwdLastSet" being changed.
	HUH?  If Samba is being told to run my script in its configuration file with
	"passwd program = /usr/local/sbin/smbldap-passwd.pl -o %u", then why doesn't
	it work like when I run it from the command line?
	To put it simply, when I run my script on the command line, it works -
	exactly the way I want.  When Samba is told to change passwords from a
	Windows machine, it either doesn't use my script or is passing some other
	information that causes the script to perform differently.  In either case,
	I have spent the better part of two days looking for cure to this and not
	been able to find a solution.
	So, I'm hoping that someone here will be able to help me.  I have included
	the smb.conf file and the modified version of the IDEALX smbpasswd.pl script
	below.  Any help is appreciated.
	If it comes down to it, I (think I) can create a script that will do what I
	need outside of the IDEALX stuff, but I would prefer not to as they seem to
	work so well.
	# --       Nesbitt Engineering, Inc. Stargazer Samba Configuration
	# This is the main Samba configuration file for Stargazer - NEI's Primary
	# Domain Controller and Lexington office File Server.
	# This configuration file is only to be used for an LDAP enabled server that
	# will be acting as a PDC.  Modifications will be required for member
	# and machine that will act as "BDCs".
	# Any line which starts with a ; (semi-colon) or a # (hash)
	# is a comment and is ignored. In this file we have used a #
	# for commentry and a ; for parts of the config file that are
	# either not enabled yet, or temporarly disabled
	# NOTE: Whenever you modify this file you should run the command "testparm"
	# to check that you have not made any basic syntactic errors.
	# "Fear the Penguin!"
	#   -- Kevin L. Collins
	#      Systems Manager
	#      Nesbitt Engineering, Inc.
	# Changelog:
	# Date - Version - Change
	#                * Info about change
	# 06/04/03 - 1.0 - Original Creation
	#============================= Global Settings
	# Server Name and description
	   workgroup = nesbitt.local
	   netbios name = stargazer
	   server string = Stargazer - Lexington File Server
	# Samba log information
	   log file = /var/log/samba/%m.log
	   max log size = 0
	# Security information
	   security = user
	   encrypt passwords = yes
	   smb passwd file = /etc/samba/smbpasswd
	   unix password sync = Yes
	   passwd program = /usr/local/sbin/smbldap-passwd.pl -o %u
	   passwd chat = *New*Password* %n\n *Retype*New*Password* %n\n
	# To help performance
	   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
	# Settings for PDC setup
	   local master = yes
	   os level = 80
	   domain master = yes
	   preferred master = yes
	   domain logons = yes
	   logon path =
	# Activate these Network Services
	   wins support = yes
	   time server = yes
	# LDAP Declarations -- Needed to allow the LDAP backend to work
	   ldap suffix = dc=nesbitt,dc=local
	   ldap admin dn = cn=Manager,dc=nesbitt,dc=local
	   ldap port = 389
	   ldap server =
	   ldap ssl = no
	   add user script = /usr/local/sbin/smbldap-useradd.pl -w %m
	   domain admin group = " @"Domain Admins" "
	# Oplocks settings - disable all oplocks for compatibility reasons
	   oplocks = no
	   level2 oplocks = no
	   kernel oplocks = no
	#============================= Share Definitions
	   comment = Network Logon Service
	   path = /usr/local/samba/lib/netlogon
	   guest ok = yes
	   writable = no
	   write list = @"domain admins"
	   share modes = no
	   comment = Home Directories
	   browseable = no
	   writable = yes
	   valid users = %S
	   create mode = 0664
	   directory mode = 0775
	   comment = Administrative Files
	   path = /npdata/admin
	   writable = yes
	   create mode = 0777
	   directory mode = 0777
	   comment = Files to be Archived
	   path = /npdata/archives
	   writeable = yes
	   valid users = @"domain admins" @"project management" kcollins bmcgregor
	   create mode = 0777
	   directory mode = 0777
	   comment = NEI Custom AutoCAD and Eagle Point Files
	   path = /npdata/cadfiles
	   writable = yes
	   create mode = 0777
	   directory mode = 0777
	[county maps]
	   comment = Raster Versions of County Maps
	   path = /images/county
	   writeable = yes
	   create mode = 0777
	   directory mode = 0777
	   comment = Various Windows Drivers
	   path = /npdata/drivers
	   read only = yes
	   write list = @"domain admins" kcollins bmcgregor
	   create mode = 0777
	   directory mode = 0777
	   comment = Accounting Data
	   path = /account/finance
	   writable = yes
	   valid users = @"domain admins" @"senior management" accounting
	   create mode = 0777
	   directory mode = 0777
	   comment = Lexington Project Data
	   path = /pdata/projects
	   writeable = yes
	   create mode = 0777
	   directory mode = 0777
	   comment = Raster Versions of USGS Quads
	   path = /images/quads
	   writable = yes
	   create mode = 0777
	   directory mode = 0777
	   comment = Timeslips Data
	   path = /account/timeslips
	   writable = yes
	   valid users = @"clerical staff" @"domain admins" accounting
	   create mode = 0777
	   directory mode = 0777
	# LDAP to unix password sync script for samba
	#  This code was developped by IDEALX (http://IDEALX.org/) and
	#  contributors (their names can be found in the CONTRIBUTORS file).
	#                 Copyright (C) 2001-2002 IDEALX
	#  This program is free software; you can redistribute it and/or
	#  modify it under the terms of the GNU General Public License
	#  as published by the Free Software Foundation; either version 2
	#  of the License, or (at your option) any later version.
	#  This program is distributed in the hope that it will be useful,
	#  but WITHOUT ANY WARRANTY; without even the implied warranty of
	#  GNU General Public License for more details.
	#  You should have received a copy of the GNU General Public License
	#  along with this program; if not, write to the Free Software
	#  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
	#  USA.
	#  Purpose :
	#       . ldap-unix passwd sync for SAMBA-2.2.2 + LDAP
	#       . may also replace /bin/passwd
	use strict;
	use smbldap_tools;
	use smbldap_conf;
	my $user;
	my $oldpass;
	my $ret;
	my $arg;
	foreach $arg (@ARGV) {
	        if ($< != 0) {
	                die "Only root can specify parameters\n";
	        } else {
	                if ( ($arg eq '-?') || ($arg eq '--help') ) {
	                        print "Usage: $0 [username]\n";
	                        print "  -?, --help                     show this
	help message\n";
	                        exit (6);
	                } elsif (substr($arg,0) ne '-')  {
	                        $user = $arg;
	                $oldpass = 1;
	if (!defined($user)) {
	# test existence of user in LDAP
	my $dn_line;
	if (!defined($dn_line = get_user_dn($user))) {
	    print "$0: user $user doesn't exist\n";
	    exit (10);
	my $dn = get_dn_from_line($dn_line);
	my $samba = is_samba_user($user);
	print "Changing password for $user\n";
	# non-root user
	if (!defined($oldpass)) {
	    # prompt for current password
	        system "stty -echo";
	        print "(current) UNIX password: ";
	        print "\n";
	        system "stty echo";
	        if (!is_user_valid($user, $dn, $oldpass)) {
	            print "Authentication failure\n";
	            exit (10);
	# prompt for new password
	my $pass;
	my $pass2;
	system "stty -echo";
	print "New password : ";
	print "\n";
	system "stty echo";
	system "stty -echo";
	print "Retype new password : ";
	print "\n";
	system "stty echo";
	if ($pass ne $pass2) {
	    print "New passwords don't match!\n";
	    exit (10);
	# only modify smb passwords if smb user
	if ($samba == 1) {
	    if (!$with_smbpasswd) {
	# generate LanManager and NT clear text passwords
	# *****************************************************
	# modified on 05-04-03 by Kevin Collins of NEI
	# -----------------------------------------------------
	# Added the "$neidate" and "$winmagic" varibles so that
	# the "pwdMustChange" field can be set to a value of 90
	# days in the future from today.
	# It is hoped that by changing this field in this way,
	# the Windows users must change thier account passwords
	# every 90 days.
	# *****************************************************
	        if ($mk_ntpasswd eq '') {
	            print "Either set \$with_smbpasswd = 1 or specify
	        my $ntpwd = `$mk_ntpasswd '$pass'`;
	        my $neidate = `/bin/date +%s`;
	        my $chgdate = $neidate+7776000;
	        chomp(my $lmpassword = substr($ntpwd, 0, index($ntpwd, ':')));
	        chomp(my $ntpassword = substr($ntpwd, index($ntpwd, ':')+1));
	# change nt/lm passwords
	# ***************************************************
	# Modified on 05-04-03 by kevin Collins of NEI
	# ---------------------------------------------------
	# Added the modify "pwdMustChange" field for password
	# changes.  See Modification note above for reasons.
	# ***************************************************
	        my $tmpldif =
	changetype: modify
	replace: pwdMustChange
	pwdMustChange: $chgdate
	changetype: modify
	replace: lmpassword
	lmpassword: $lmpassword
	changetype: modify
	replace: ntpassword
	ntpassword: $ntpassword
	        die "$0: error while modifying password for $user\n"
	            unless (do_ldapmodify($tmpldif) == 0);
	        undef $tmpldif;
	    else {
	        if ($< != 0) {
	            my $FILE="|$smbpasswd -s >/dev/null";
	            open (FILE, $FILE) || die "$!\n";
	            print FILE <<EOF;
	            close FILE;
	        } else {
	            my $FILE="|$smbpasswd $user -s >/dev/null";
	            open (FILE, $FILE) || die "$!\n";
	            print FILE <<EOF;
	            close FILE;
	# change unix password
	$ret = system "$ldappasswd $dn -s '$pass' > /dev/null";
	if ($ret == 0) {
	    print "all authentication tokens updated successfully\n";
	} else {
	    return $ret;
	exit 0;
	# - The End
	=head1 NAME
	smbldap-passwd.pl - change user password
	=head1 SYNOPSIS
	  smbldap-passwd.pl [name]
	       smbldap-passwd.pl changes passwords for user accounts. A normal user
	       may only change the password for their own account, the super user
	       change the password for any account.
	   Password Changes
	       The user is first prompted for their old password, if one is present.
	       This password is then tested against the stored password by binding
	       to the server. The user has only one chance to enter the correct
	       word. The super user is permitted to bypass this step so that forgot-
	       ten passwords may be changed.
	       The user is then prompted for a replacement password. As a general
	       guideline, passwords should consist of 6 to 8 characters including
	       one or more from each of following sets:
	            Lower case alphabetics
	            Upper case alphabetics
	            Digits 0 thru 9
	            Punctuation marks
	       passwd will prompt again and compare the second entry against the
	       Both entries are require to match in order for the password to be
	=head1 SEE ALSO
	Kevin L. Collins, MCSE
	Systems Manager
	Nesbitt Engineering, Inc.
	To unsubscribe from this list go to the following URL and read the
	instructions:  http://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list