[Samba] password expiration problem
Anton E. Panchenko
pae at chernigovka.org
Tue Dec 1 15:19:15 MST 2009
Greetings. I have problem with password expiration problem i cannot
handle myself, so i wrote in this list.
> Recently i discovered that a newly created samba account has already
> expired password.
>
> smbldap-useradd -a -d /home/tommy -G education -s /bin/bash -M tommy
> -c "Tommy T." tommy
> smbldap-passwd tommy
>
> getent shadow
> user:*:::::::0
> user2:*:::::::0
> user3:*:::365::::0
> tommy:*:::365::::0
>
> su tommy
> pam_mount password:
> Password aged
> Enter login(LDAP) password:
>
> auth.log
> /dev/pts/5 user:tommy
> Nov 26 16:47:34 it-chief su[5638]: pam_unix(su:auth): authentication
> failure; logname= uid=1001 euid=0 tty=/dev/pts/5 ruser=user rhost=
> user=tommy
> Nov 26 16:47:34 it-chief su[5638]: pam_unix(su:account): expired
> password for user tommy (password aged)
> Nov 26 16:47:34 it-chief su[5638]: pam_unix(su:chauthtok): user
> "tommy" does not exist in /etc/passwd
> Nov 26 16:48:12 it-chief su[5638]: pam_chauthtok: Authentication token
> manipulation error
> Nov 26 16:48:12 it-chief su[5638]: FAILED su for tommy by user
>
> smb.conf
> [global]
> workgroup = WORKGROUP
> server string = %h server
> ; wins server = w.x.y.z
> dns proxy = no
> ; name resolve order = lmhosts host wins bcast
> ; interfaces = 127.0.0.0/8 eth0
> ; bind interfaces only = yes
> log file = /var/log/samba/log.%m
> max log size = 1000
> syslog only = yes
> syslog = 0
> panic action = /usr/share/samba/panic-action %d
> log level = 3 vfs:2
> security = user
> encrypt passwords = true
> obey pam restrictions = no
> ; unix password sync = no
> ldap passwd sync = yes
> passwd program = /usr/sbin/smbldap-passwd %u
> passwd chat = *New*password* %n\n *Retype*new*password* %n\n
> *all*authentication*tokens*updated
> pam password change = no
> passdb backend = ldapsam:ldap://auth.workgroup
> ldap ssl = no
> ldap admin dn = cn=admin,dc=workgroup
> ldap suffix = dc=workgroup
> ldap group suffix = ou=Groups
> ldap user suffix = ou=Users
> ldap machine suffix = ou=Computers
> ldap idmap suffix = ou=Users
> unix extensions = no
> ; domain logons = yes
> ; logon path = \\%N\profiles\%U
> ; logon drive = H:
> ; logon script = logon.cmd
> add user script = /usr/sbin/smbldap-useradd -m "%u"
> add machine script = /usr/sbin/smbldap-useradd -w "%u"
> add group script = /usr/sbin/smbldap-groupadd -p "%g"
> ldap delete dn = yes
> delete user script = /usr/sbin/smbldap-userdel "%u"
> delete group script = /usr/sbin/smbldap-groupdel "%g"
> add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
> delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
> set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
>
> smbldap.conf
> SID="S-1-5-21-482339686-3080510186-2817641028"
> sambaDomain="WORKGROUP"
> slaveLDAP="auth.workgroup"
> slavePort="389"
> masterLDAP="auth.workgroup"
> masterPort="389"
> ldapTLS="0"
> verify="none"
> suffix="dc=workgroup"
> usersdn="ou=Users,${suffix}"
> computersdn="ou=Computers,${suffix}"
> groupsdn="ou=Groups,${suffix}"
> idmapdn="ou=Users,${suffix}"
> sambaUnixIdPooldn="sambaDomainName=WORKGROUP,${suffix}"
> scope="sub"
> hash_encrypt="SSHA"
> crypt_salt_format="%s"
> userLoginShell="/bin/bash"
> userHome="/home/%U"
> userHomeDirectoryMode="700"
> userGecos="System User"
> defaultUserGid="513"
> defaultComputerGid="515"
> skeletonDir="/etc/skel"
> defaultMaxPasswordAge="365"
> userSmbHome="\\NAS\%U"
> userProfile="\\NAS\profiles\%U"
> userHomeDrive="H:"
> userScript="%U.cmd"
> mailDomain="workgroup"
> with_smbpasswd="0"
> smbpasswd="/usr/bin/smbpasswd"
> with_slappasswd="0"
> slappasswd="/usr/sbin/slappasswd"
>
>
> slapd.conf
> include /etc/ldap/schema/core.schema
> include /etc/ldap/schema/cosine.schema
> include /etc/ldap/schema/inetorgperson.schema
> include /etc/ldap/schema/misc.schema
> include /etc/ldap/schema/nis.schema
> include /etc/ldap/schema/samba.schema
> pidfile /var/run/slapd/slapd.pid
> argsfile /var/run/slapd/slapd.args
> loglevel 256
> modulepath /usr/lib/ldap
> moduleload back_bdb
> sizelimit 500
> tool-threads 1
> backend bdb
> database bdb
> suffix "dc=workgroup"
> directory "/var/lib/ldap"
> dbconfig set_cachesize 0 2097152 0
> dbconfig set_lk_max_objects 1500
> dbconfig set_lk_max_locks 1500
> dbconfig set_lk_max_lockers 1500
> index objectClass eq
> index cn pres,sub,eq
> index sn pres,sub,eq
> index uid pres,sub,eq
> index displayName pres,sub,eq
> index default sub
> index uidNumber eq
> index gidNumber eq
> index mail,givenName eq,subinitial
> index dc eq
> index memberUid eq
> index sambaSID eq
> index sambaPrimaryGroupSID eq
> index sambaDomainName eq
> index sambaGroupType eq
> index sambaSIDList eq
> index uniqueMember eq
> lastmod on
> checkpoint 512 30
> access to
> attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword
> by dn="cn=admin,dc=workgroup" write
> by anonymous auth
> by self write
> by * none
>
> access to dn.base="" by * read
>
> access to *
> by dn="cn=admin,dc=workgroup" write
> by * read
>
> smbldap-usershow tommy
> dn: uid=tommy,ou=Users,dc=workgroup
> objectClass:
> top,person,organizationalPerson,inetOrgPerson,posixAccount,shadowAccount,sambaSamAccount,inetLocalMailRecipient
>
> cn: tommy
> sn: tommy
> givenName: tommy
> uid: tommy
> uidNumber: 1099
> gidNumber: 513
> homeDirectory: /home/tommy
> loginShell: /bin/bash
> gecos: T. Tommy
> sambaLogonTime: 0
> sambaLogoffTime: 2147483647
> sambaKickoffTime: 2147483647
> sambaPwdCanChange: 0
> displayName: tommy
> sambaSID: S-1-5-21-482339686-3080510186-2817641028-3198
> sambaLogonScript: tommy.cmd
> sambaProfilePath: \\NAS\profiles\tommy
> sambaHomePath: \\NAS\tommy
> sambaPrimaryGroupSID: S-1-5-21-482339686-3080510186-2817641028-513
> sambaHomeDrive: H:
> mailLocalAddress: tommy
> mail: tommy at workgroup
> sambaLMPassword: CCF9155E3E7DB453AAD3B435B51404EE
> sambaAcctFlags: [U]
> sambaNTPassword: 3DBDE697D71690A769204BEB12283678
> sambaPwdLastSet: 1259217976
> sambaPwdMustChange: 1290753976
> userPassword: {SSHA}baNet7XxM3EaPORUnwRCYNSXTlF0cE5z
> shadowLastChange: 14574
> shadowMax: 365
>
> smbd --version
> Version 3.2.5
>
> debian lenny
>
> slapd -V
> @(#) $OpenLDAP: slapd 2.4.11 (Oct 12 2008 04:13:21) $
> buildd at ninsei:/build/buildd/openldap-2.4.11/debian/build/servers/slapd
>
> Thanks in advance
I've changed this in slapd.conf
Code:
#access to attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword
access to attrs=userPassword,sambaNTPassword,sambaLMPassword
getent shadow now shows:
Code:
user:*:::::::0
user2:*:::::::0
tommy:*:14579::365::::0
And this way i've managed to login as user tommy.
More information about the samba
mailing list