ENC: [Samba] maximum password age
Luiz Alfredo Baggiotto
luiz at pucrs.br
Mon Dec 26 19:44:56 GMT 2005
> Dear admins
>
> I have a similar problem.
> When I use smbldap-passwd from command line, the
> sambaPwdMustChange field are setted correctly. But when I try
> from the Windows workstation, appears a negative value!
> Please see it:
>
> # pdbedit -Lv someuser
> (......)
> Logon time: 0
> Logoff time: Tue, 19 Jan 2038 00:14:07 BRT
> Kickoff time: 0
> Password last set: Fri, 23 Dec 2005 11:51:02 BRT
> Password can change: Fri, 23 Dec 2005 11:51:02 BRT Password
> must change: Wed, 26 Dec 2005 07:42:45 BRT
> Last bad password : 0
> Bad password count : 0
> Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>
> Now, if I use "Ctrl-Alt-Del" - "Change Password...", from a
> Windows workstation, I have this output:
>
> # pdbedit -Lv someuser
> (......)
> Logon time: 0
> Logoff time: Tue, 19 Jan 2038 00:14:07 BRT
> Kickoff time: 0
> Password last set: Fri, 23 Dec 2005 11:51:02 BRT
> Password can change: Fri, 23 Dec 2005 11:51:02 BRT Password
> must change: Wed, 03 Jun 1936 17:42:45 BRT
> Last bad password : 0
> Bad password count : 0
> Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>
> In my smb.conf I have:
> (......)
> passwd program = /usr/local/sbin/smbldap-passwd %u
> passwd chat = *password* %n\n *new*password* %n\n
> passwd chat debug = Yes
> encrypt passwords = Yes
> log level = 1
> delete user script = /usr/local/sbin/smbldap-userdel "%u"
> add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
> set primary group script =
> /usr/local/sbin/smbldap-usermod -g "%g" "%u"
> add user to group script =
> /usr/local/sbin/smbldap-groupmod -m "%u" "%g"
> delete user from group script =
> /usr/local/sbin/smbldap-groupmod -x "%u" "%g"
> add group script = /usr/local/sbin/smbldap-groupadd "%g"
> delete group script = /usr/local/sbin/smbldap-groupdel "%g"
> (......)
>
> I was reviewed the smbldap-tools configuration and didn´t
> found any problem. And the most strange thing is that if I
> run from command line the same "passwd program", everything works:
>
> # /usr/local/sbin/smbldap-passwd someuser Changing password
> for someuser New password :
> Retype new password :
> # pdbedit -Lv someuser
> (......)
> Logon time: 0
> Logoff time: Tue, 19 Jan 2038 00:14:07 BRT
> Kickoff time: 0
> Password last set: Mon, 26 Dec 2005 08:42:15 BRT
> Password can change: Fri, 23 Dec 2005 11:51:02 BRT Password
> must change: Tue, 26 Dec 2006 07:42:15 BRT
> Last bad password : 0
> Bad password count : 0
> Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>
> I don´t know how much time it´s happening (I have this SAMBA
> domain about one year ago, but this error was reported only
> in the last week). I´m suspecting there are a problem with
> any Microsoft patch, but I updated my samba to version 3.0.21
> and the problem persists.
> Can someone help me?
> Thanks a lot
>
> Luiz
>
>
> > -----Mensagem original-----
> > De: samba-bounces+baggiotto=ieee.org at lists.samba.org
> > [mailto:samba-bounces+baggiotto=ieee.org at lists.samba.org]
> Em nome de
> > Alessandro Enviada em: sexta-feira, 23 de dezembro de 2005 18:47
> > Para: nik600
> > Cc: samba at lists.samba.org
> > Assunto: Re: [Samba] maximum password age
> >
> > nik600 wrote:
> > > On 12/19/05, simo wrote:
> > >
> > >> On lun, 2005-12-19 at 13:37 +0100, nik600 wrote:
> > >>
> > >>> i've tried to set the maximum age of passwords with:
> > >>>
> > >>> root at servlan:~# pdbedit -P "maximum password age" -C
> > 8035200 account
> > >>> policy value for maximum password age was 8035200
> account policy
> > >>> value for maximum password age is now 8035200
> > >>>
> > >>> as you can see Password must change: Fri, 13 Dec 1901
> > 21:45:51 GMT
> > >>> is
> > >>>
> > >> wrong!
> > >>
> > >>> what can i do to set the password max age?
> > >>>
> > >> The maximum password age is a server setting, not a
> specific user
> > >> setting.
> > >>
> > >> It tells the server how to calculate the Password must
> > change field
> > >> when, and _only_ when the user password is changed.
> > >>
> > >> When the user changes it's password, the Password must
> > change field
> > >> is calculated as current time + maximum password age seconds.
> > >>
> > >> Changing the maximum password age setting will not change any
> > >> existing user Password must change field. You either need
> > to force a
> > >> user to change his password or edit the password must
> > change field by yourself.
> > >>
> > >> This is hot NT has been designed, and is also the only
> sane way it
> > >> can work.
> > >>
> > >> Simo.
> > >>
> > >
> > >
> > > thanks for your reply but i've tried to change the
> password and the
> > > value Password must change doesn't change!
> > >
> > hmmmm
> >
> > let's check:
> >
> > # pdbedit -v -u storm | grep must
> > Password must change: ven, 13 dic 1901 21:45:51 GMT
> >
> > Now I try to set "maximum password age" like yours:
> >
> > # pdbedit -P "maximum password age" -C 8035200
> > account policy value for maximum password age was 4294967295
> > account policy value for maximum password age is now 8035200
> > # smbpasswd storm
> > New SMB password:
> > Retype new SMB password:
> >
> > check it again:
> >
> > # pdbedit -v -u storm | grep must
> > Password must change: dom, 26 mar 2006 22:37:01 GMT
> >
> > I think that's what you want!!!! but now let's have more
> days to play
> > with:
> >
> > # pdbedit -P "maximum password age" -C 1003089564
> > # smbpasswd storm
> > New SMB password:
> > Retype new SMB password:
> > # pdbedit -v -u storm | grep must
> > Password must change: mar, 06 ott 2037 18:38:54 GMT
> >
> > Cheers...
> >
> > Alex!
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/listinfo/samba
> >
More information about the samba
mailing list