[Samba] password expiration problem

Anton E. Panchenko pae at chernigovka.org
Tue Dec 1 15:19:15 MST 2009 

Greetings. I have problem with password expiration problem i cannot 
handle myself, so i wrote in this list.
> Recently i discovered that a newly created samba account has already 
> expired password.
>
> smbldap-useradd -a -d /home/tommy -G education -s /bin/bash -M tommy 
> -c "Tommy T." tommy
> smbldap-passwd tommy
>
> getent shadow
> user:*:::::::0
> user2:*:::::::0
> user3:*:::365::::0
> tommy:*:::365::::0
>
> su tommy
> pam_mount password:
> Password aged
> Enter login(LDAP) password:
>
> auth.log
> /dev/pts/5 user:tommy
> Nov 26 16:47:34 it-chief su[5638]: pam_unix(su:auth): authentication 
> failure; logname= uid=1001 euid=0 tty=/dev/pts/5 ruser=user rhost=  
> user=tommy
> Nov 26 16:47:34 it-chief su[5638]: pam_unix(su:account): expired 
> password for user tommy (password aged)
> Nov 26 16:47:34 it-chief su[5638]: pam_unix(su:chauthtok): user 
> "tommy" does not exist in /etc/passwd
> Nov 26 16:48:12 it-chief su[5638]: pam_chauthtok: Authentication token 
> manipulation error
> Nov 26 16:48:12 it-chief su[5638]: FAILED su for tommy by user
>
> smb.conf
> [global]
>   workgroup = WORKGROUP
>   server string = %h server
> ;   wins server = w.x.y.z
>   dns proxy = no
> ;   name resolve order = lmhosts host wins bcast
> ;   interfaces = 127.0.0.0/8 eth0
> ;   bind interfaces only = yes
>   log file = /var/log/samba/log.%m
>   max log size = 1000
>   syslog only = yes
>   syslog = 0
>   panic action = /usr/share/samba/panic-action %d
> log level = 3 vfs:2
>   security = user
>   encrypt passwords = true
>   obey pam restrictions = no
> ; unix password sync = no
> ldap passwd sync = yes
> passwd program = /usr/sbin/smbldap-passwd %u
> passwd chat = *New*password* %n\n *Retype*new*password* %n\n 
> *all*authentication*tokens*updated
>   pam password change = no
> passdb backend = ldapsam:ldap://auth.workgroup
> ldap ssl = no
> ldap admin dn = cn=admin,dc=workgroup
> ldap suffix = dc=workgroup
> ldap group suffix = ou=Groups
> ldap user suffix = ou=Users
> ldap machine suffix = ou=Computers
> ldap idmap suffix = ou=Users
> unix extensions = no
> ;   domain logons = yes
> ;   logon path = \\%N\profiles\%U
> ;   logon drive = H:
> ;   logon script = logon.cmd
> add user script = /usr/sbin/smbldap-useradd -m "%u"
> add machine script = /usr/sbin/smbldap-useradd -w "%u"
> add group script = /usr/sbin/smbldap-groupadd -p "%g"
> ldap delete dn = yes
> delete user script = /usr/sbin/smbldap-userdel "%u"
> delete group script = /usr/sbin/smbldap-groupdel "%g"
> add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
> delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
> set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
>
> smbldap.conf
> SID="S-1-5-21-482339686-3080510186-2817641028"
> sambaDomain="WORKGROUP"
> slaveLDAP="auth.workgroup"
> slavePort="389"
> masterLDAP="auth.workgroup"
> masterPort="389"
> ldapTLS="0"
> verify="none"
> suffix="dc=workgroup"
> usersdn="ou=Users,${suffix}"
> computersdn="ou=Computers,${suffix}"
> groupsdn="ou=Groups,${suffix}"
> idmapdn="ou=Users,${suffix}"
> sambaUnixIdPooldn="sambaDomainName=WORKGROUP,${suffix}"
> scope="sub"
> hash_encrypt="SSHA"
> crypt_salt_format="%s"
> userLoginShell="/bin/bash"
> userHome="/home/%U"
> userHomeDirectoryMode="700"
> userGecos="System User"
> defaultUserGid="513"
> defaultComputerGid="515"
> skeletonDir="/etc/skel"
> defaultMaxPasswordAge="365"
> userSmbHome="\\NAS\%U"
> userProfile="\\NAS\profiles\%U"
> userHomeDrive="H:"
> userScript="%U.cmd"
> mailDomain="workgroup"
> with_smbpasswd="0"
> smbpasswd="/usr/bin/smbpasswd"
> with_slappasswd="0"
> slappasswd="/usr/sbin/slappasswd"
>
>
> slapd.conf
> include        /etc/ldap/schema/core.schema
> include        /etc/ldap/schema/cosine.schema
> include        /etc/ldap/schema/inetorgperson.schema
> include        /etc/ldap/schema/misc.schema
> include        /etc/ldap/schema/nis.schema
> include        /etc/ldap/schema/samba.schema
> pidfile         /var/run/slapd/slapd.pid
> argsfile        /var/run/slapd/slapd.args
> loglevel        256
> modulepath    /usr/lib/ldap
> moduleload    back_bdb
> sizelimit 500
> tool-threads 1
> backend        bdb
> database        bdb
> suffix          "dc=workgroup"
> directory       "/var/lib/ldap"
> dbconfig set_cachesize 0 2097152 0
> dbconfig set_lk_max_objects 1500
> dbconfig set_lk_max_locks 1500
> dbconfig set_lk_max_lockers 1500
> index    objectClass                eq
> index    cn                    pres,sub,eq
> index    sn                    pres,sub,eq
> index    uid                    pres,sub,eq
> index    displayName                pres,sub,eq
> index    default                    sub
> index    uidNumber                eq
> index    gidNumber                eq
> index    mail,givenName                eq,subinitial
> index    dc                    eq
> index    memberUid                eq
> index    sambaSID                eq
> index    sambaPrimaryGroupSID            eq
> index    sambaDomainName                eq
> index    sambaGroupType                eq
> index    sambaSIDList                eq
> index    uniqueMember                eq
> lastmod         on
> checkpoint      512 30
> access to 
> attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword
>    by dn="cn=admin,dc=workgroup" write
>    by anonymous auth
>    by self write
>    by * none
>
> access to dn.base="" by * read
>
> access to *
>        by dn="cn=admin,dc=workgroup" write
>        by * read
>
> smbldap-usershow tommy
> dn: uid=tommy,ou=Users,dc=workgroup
> objectClass: 
> top,person,organizationalPerson,inetOrgPerson,posixAccount,shadowAccount,sambaSamAccount,inetLocalMailRecipient 
>
> cn: tommy
> sn: tommy
> givenName: tommy
> uid: tommy
> uidNumber: 1099
> gidNumber: 513
> homeDirectory: /home/tommy
> loginShell: /bin/bash
> gecos: T. Tommy
> sambaLogonTime: 0
> sambaLogoffTime: 2147483647
> sambaKickoffTime: 2147483647
> sambaPwdCanChange: 0
> displayName: tommy
> sambaSID: S-1-5-21-482339686-3080510186-2817641028-3198
> sambaLogonScript: tommy.cmd
> sambaProfilePath: \\NAS\profiles\tommy
> sambaHomePath: \\NAS\tommy
> sambaPrimaryGroupSID: S-1-5-21-482339686-3080510186-2817641028-513
> sambaHomeDrive: H:
> mailLocalAddress: tommy
> mail: tommy at workgroup
> sambaLMPassword: CCF9155E3E7DB453AAD3B435B51404EE
> sambaAcctFlags: [U]
> sambaNTPassword: 3DBDE697D71690A769204BEB12283678
> sambaPwdLastSet: 1259217976
> sambaPwdMustChange: 1290753976
> userPassword: {SSHA}baNet7XxM3EaPORUnwRCYNSXTlF0cE5z
> shadowLastChange: 14574
> shadowMax: 365
>
> smbd --version
> Version 3.2.5
>
> debian lenny
>
> slapd -V
> @(#) $OpenLDAP: slapd 2.4.11 (Oct 12 2008 04:13:21) $
>    buildd at ninsei:/build/buildd/openldap-2.4.11/debian/build/servers/slapd
>
> Thanks in advance
I've changed this in slapd.conf
Code:

#access to attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword
access to attrs=userPassword,sambaNTPassword,sambaLMPassword

getent shadow now shows:

Code:

user:*:::::::0
user2:*:::::::0
tommy:*:14579::365::::0

And this way i've managed to login as user tommy.

More information about the samba mailing list