RES: [Samba] maximum password age
Luiz Alfredo Baggiotto
luiz at pucrs.br
Mon Dec 26 11:52:37 GMT 2005
Dear admins
I have a similar problem.
When I use smbldap-passwd from command line, the sambaPwdMustChange field are setted correctly. But when I try from the Windows workstation, appears a negative value!
Please see it:
# pdbedit -Lv someuser
(......)
Logon time: 0
Logoff time: Tue, 19 Jan 2038 00:14:07 BRT
Kickoff time: 0
Password last set: Fri, 23 Dec 2005 11:51:02 BRT
Password can change: Fri, 23 Dec 2005 11:51:02 BRT
Password must change: Wed, 26 Dec 2005 07:42:45 BRT
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
Now, if I use "Ctrl-Alt-Del" - "Change Password...", from a Windows workstation, I have this output:
# pdbedit -Lv someuser
(......)
Logon time: 0
Logoff time: Tue, 19 Jan 2038 00:14:07 BRT
Kickoff time: 0
Password last set: Fri, 23 Dec 2005 11:51:02 BRT
Password can change: Fri, 23 Dec 2005 11:51:02 BRT
Password must change: Wed, 03 Jun 1936 17:42:45 BRT
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
In my smb.conf I have:
(......)
passwd program = /usr/local/sbin/smbldap-passwd %u
passwd chat = *password* %n\n *new*password* %n\n
passwd chat debug = Yes
encrypt passwords = Yes
log level = 1
delete user script = /usr/local/sbin/smbldap-userdel "%u"
add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u"
add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u" "%g"
add group script = /usr/local/sbin/smbldap-groupadd "%g"
delete group script = /usr/local/sbin/smbldap-groupdel "%g"
(......)
I was reviewed the smbldap-tools configuration and didn´t found any problem. And the most strange thing is that if I run from command line the same "passwd program", everything works:
# /usr/local/sbin/smbldap-passwd someuser
Changing password for someuser
New password :
Retype new password :
# pdbedit -Lv someuser
(......)
Logon time: 0
Logoff time: Tue, 19 Jan 2038 00:14:07 BRT
Kickoff time: 0
Password last set: Mon, 26 Dec 2005 08:42:15 BRT
Password can change: Fri, 23 Dec 2005 11:51:02 BRT
Password must change: Tue, 26 Dec 2006 07:42:15 BRT
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
I don´t know how much time it´s happening (I have this SAMBA domain about one year ago, but this error was reported only in the last week). I´m suspecting there are a problem with any Microsoft patch, but I updated my samba to version 3.0.21 and the problem persists.
Can someone help me?
Thanks a lot
Luiz
> -----Mensagem original-----
> De: samba-bounces+baggiotto=ieee.org at lists.samba.org
> [mailto:samba-bounces+baggiotto=ieee.org at lists.samba.org] Em
> nome de Alessandro
> Enviada em: sexta-feira, 23 de dezembro de 2005 18:47
> Para: nik600
> Cc: samba at lists.samba.org
> Assunto: Re: [Samba] maximum password age
>
> nik600 wrote:
> > On 12/19/05, simo wrote:
> >
> >> On lun, 2005-12-19 at 13:37 +0100, nik600 wrote:
> >>
> >>> i've tried to set the maximum age of passwords with:
> >>>
> >>> root at servlan:~# pdbedit -P "maximum password age" -C
> 8035200 account
> >>> policy value for maximum password age was 8035200 account policy
> >>> value for maximum password age is now 8035200
> >>>
> >>> as you can see Password must change: Fri, 13 Dec 1901
> 21:45:51 GMT
> >>> is
> >>>
> >> wrong!
> >>
> >>> what can i do to set the password max age?
> >>>
> >> The maximum password age is a server setting, not a specific user
> >> setting.
> >>
> >> It tells the server how to calculate the Password must
> change field
> >> when, and _only_ when the user password is changed.
> >>
> >> When the user changes it's password, the Password must
> change field
> >> is calculated as current time + maximum password age seconds.
> >>
> >> Changing the maximum password age setting will not change any
> >> existing user Password must change field. You either need
> to force a
> >> user to change his password or edit the password must
> change field by yourself.
> >>
> >> This is hot NT has been designed, and is also the only sane way it
> >> can work.
> >>
> >> Simo.
> >>
> >
> >
> > thanks for your reply but i've tried to change the password and the
> > value Password must change doesn't change!
> >
> hmmmm
>
> let's check:
>
> # pdbedit -v -u storm | grep must
> Password must change: ven, 13 dic 1901 21:45:51 GMT
>
> Now I try to set "maximum password age" like yours:
>
> # pdbedit -P "maximum password age" -C 8035200
> account policy value for maximum password age was 4294967295
> account policy value for maximum password age is now 8035200
> # smbpasswd storm
> New SMB password:
> Retype new SMB password:
>
> check it again:
>
> # pdbedit -v -u storm | grep must
> Password must change: dom, 26 mar 2006 22:37:01 GMT
>
> I think that's what you want!!!! but now let's have more days
> to play with:
>
> # pdbedit -P "maximum password age" -C 1003089564
> # smbpasswd storm
> New SMB password:
> Retype new SMB password:
> # pdbedit -v -u storm | grep must
> Password must change: mar, 06 ott 2037 18:38:54 GMT
>
> Cheers...
>
> Alex!
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/listinfo/samba
>
More information about the samba
mailing list