[Samba] Your password expires today problem

Martin Schmidt martin.schmidt at uni-wuerzburg.de
Mon Mar 1 04:49:28 MST 2010


Am 26.02.2010 14:51, schrieb Marcelo Terres:
> Let me understand.
>
>
>
> On Fri, Feb 26, 2010 at 6:52 AM, Martin Schmidt 
> <martin.schmidt at uni-wuerzburg.de 
> <mailto:martin.schmidt at uni-wuerzburg.de>> wrote:
>
>     hi again,
>
>     in my case it works now after setting the "maximum password age"
>     to a point far in future, but not to "never".
>     So this works:
>     pdbedit -P "maximum password age" -C 4294967294
>
>
> This way, the message stops ?
see below.
>
>     but this not:
>
>     pdbedit -P "maximum password age" -C -1
>
>     I have also re-disabled the users account control property
>     "Password does not expire" using
>     pdbedit -r -c "[]" test
>
>     Unix username:        test
>     NT username:         Account Flags:        [U          ]
>
>     User SID:             S-1-5-21-1200361472-1041780773-253280391-2648
>     Primary Group SID:    S-1-5-21-1200361472-1041780773-253280391-513
>     Full Name:           Home Directory:       \\fecenter\test
>     HomeDir Drive:        Q:
>     Logon Script:        Profile Path:         \\fecenter\profiles\test
>     Domain:               LSFE
>     Account desc:        Workstations:        Munged dial:        
>     Logon time:           0
>     Logoff time:          never
>     Kickoff time:         never
>     Password last set:    Thu, 25 Feb 2010 10:35:29 CET
>     Password can change:  Thu, 25 Feb 2010 10:35:29 CET
>     Password must change: Sun, 03 Apr 2146 18:03:43 CEST
>
>     Last bad password   : 0
>     Bad password count  : 0
>     Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>
>     I could have hit on it in a moment!
>
>
> Disabling this policy the message stop too ?
I'm not sure what stoped the message eventually. But I think the first 
one, the second procedure was only to undo my changes I have done while 
testing.

Regards,
Martin

>
> Regards ,
>
>
>     regards,
>     Martin
>
>
>
>
>     Martin Schmidt schrieb:
>
>         hi,
>         I tried pdbedit -P "maximum password age" -C -1, but with no
>         effect.
>         pdbedit -r -c "[X]" test and retyping the password via
>         "smbpasswd test" had also no effect, curiously "pdbedit -v
>         test" gives following:
>
>         Unix username:        test
>         NT username:         Account Flags:        [UX         ]
>         User SID:            
>         S-1-5-21-1200361472-1041780773-253280391-2648
>         Primary Group SID:    S-1-5-21-1200361472-1041780773-253280391-513
>         Full Name:           Home Directory:       \\fecenter\test
>         HomeDir Drive:        Q:
>         Logon Script:        Profile Path:        
>         \\fecenter\profiles\test
>         Domain:               LSFE
>         Account desc:        Workstations:        Munged dial:        
>         Logon time:           0
>         Logoff time:          never
>         Kickoff time:         never
>         Password last set:    Thu, 25 Feb 2010 09:47:06 CET
>         Password can change:  Thu, 25 Feb 2010 09:47:06 CET
>         Password must change: never
>         Last bad password   : 0
>         Bad password count  : 0
>         Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>
>
>         regards,
>         Martin
>
>
>
>         Gaiseric Vandal schrieb:
>
>             We had a few users with the same problem when we moved the
>             password backend from tdb to ldap.    The following
>             command seem to fix it.
>
>                  pdbedit -P "maximum password age" -C -1
>
>
>
>
>             On 02/24/2010 04:25 PM, Marcelo Terres wrote:
>
>                 Samba 3.0.24 doesn't have the problem, maybe because
>                 it doesn't support the
>                 policies domain account (configured with pdbedit).
>
>                 This feature starts in 3.0.25 and the problems with
>                 password expiration
>                 starts in the version either.
>
>                 Regards,
>
>                 Marcelo H. Terres
>                 mhterres at gmail.com <mailto:mhterres at gmail.com>
>                 ****************************************
>                 ICQ: 6649932
>                 MSN: mhterres at hotmail.com <mailto:mhterres at hotmail.com>
>                 Jabber: mhterres at jabber.org <mailto:mhterres at jabber.org>
>                 http://twitter.com/mhterres
>                 http://identi.ca/mhterres
>                 ****************************************
>                 http://mundoopensource.blogspot.com/
>                 http://www.propus.com.br
>                 Sent from Porto Alegre, RS, Brazil
>
>                 On Wed, Feb 24, 2010 at 2:38 PM, Martin Schmidt<
>                 martin.schmidt at uni-wuerzburg.de
>                 <mailto:martin.schmidt at uni-wuerzburg.de>>  wrote:
>
>
>                     Hi,
>
>                     I have a very similiar problem, but the story is
>                     an other:
>
>                     I migrated from sles 10 sp2 samba 3.0.24 to ubuntu
>                     9.10 server samba 3.4.3
>                     (pdc). The user-accounts were moved following this
>                     instruction:
>                     http://www.cyberciti.biz/faq/howto-move-migrate-user-accounts-old-to-new-server/.
>
>                     When some user now try to login to the domain from
>                     a xp-client following
>                     message appears at every login: "Your Windows
>                     password has expired and must
>                     be changed. You must change your password now!"
>                     The user can change the
>                     password and everything works fine. But at next
>                     login the same story. This
>                     happens only to some of the old users and to all
>                     users created after
>                     migration. Any idea what could be the reason for
>                     this? I already searched a
>                     lot but didn't find something like this.
>
>                     Thanks for any info.
>
>                     Regards,
>                     Martin
>
>                     Dipl.- Geogr. Martin Schmidt
>
>                     Würzburg University
>                     Department of Geography
>                     Remote Sensing Unit
>                     &
>                     German Remote Sensing Data Center (DFD) at
>                     German Aerospace Center (DLR) Oberpfaffenhofen
>                     --------------------------------------------------------
>                     Am Hubland
>                     97074 Würzburg
>                     phone: +49 (931) 31-88179
>                     fax:   +49 (931) 888-5544
>                     eMail: martin.schmidt at uni-wuerzburg.de
>                     <mailto:martin.schmidt at uni-wuerzburg.de>
>
>
>
>                     Here my smb.conf:
>
>                     [global]
>                       #log file = /var/log/samba.%m
>                       smb ports = 139 445
>                             #root = administrator
>                       #DOMAIN ADMINS = root, administrator
>
>                       #----Allgemeine
>                     Einstellungen--------------------------------------------------
>                       #Workgroup
>                       netbios name = XXX     #netbios aliases =  XXX
>                       server string = XXX
>                       workgroup = XXX
>                       guest account = XXX
>
>
>
>                     #-----Sicherheit--------------------------------------------------------------
>
>                       #Nur Subnetz FE zulassen
>                       hosts deny = XXX
>                       hosts allow = XXX
>
>                       #Nur die Ethernet Karte 0 und Loopback zulassen
>                       interfaces = eth0 lo
>                       bind interfaces only = yes
>
>                       #Unbekannt Nutzer rejecten
>                       #map to guest = Never
>
>                       #Zugriff auf benutzerdefinierte Freigaben nicht
>                     erlauben
>                       #usershare allow guests = No
>
>                       #Kommunikation der Clients mit Samba auf User Ebene
>                       #Passwort - Backend
>                       #passdb backend = tdbsam:/etc/samba/passdb.tdb
>                       passdb backend= smbpasswd     security = user
>                       encrypt passwords = true     smb passwd file =
>                     /etc/samba/smbpasswd
>                       passwd program = /usr/bin/smbpasswd %u
>                       unix password sync = false
>                       obey pam restrictions = yes
>
>                       #Fuer bestimmte Nutzer gibts extra smb.conf Dateien
>                       config file = /etc/samba/smb.conf.%U
>
>
>                       #---- Roaming Profiles
>                     -----------------------------------------------------
>                       #Antworten auf WIN98/95 Anfragen
>                       domain logons = Yes
>                       logon path = \\%L\profiles\%U
>                       logon drive = Q:
>                       #logon script = logon.cmd
>
>                       #---- Browsing und Domain Master (PDC)
>                     -------------------------------------
>                       #wins support = Yes
>                       #wins server = XXX
>                       #wins proxy = yes
>                       #PDC im Subnetz
>                       domain master = Yes
>                       local master = Yes
>                       preferred master = Yes
>                       os level = 65
>                       #client-side caching policy
>                       #csc policy = disable
>
>
>                     #----Benutzerverwaltung-----------------------------------------------------
>
>                       #Hinzufuegen einer Maschine ueber die Methode
>                     Benutzername/Passwort
>                       #add machine script = /usr/sbin/useradd  -c
>                     Machine -d /var/lib/nobody -s
>                     /bin/false %m$
>
>
>                     #---Drucker----------------------------------------------------------------
>
>                       load printers = no
>                       printing = bsd
>                       printcap name = /dev/null
>                       disable spoolss = yes
>
>
>                     #----Tuning-----------------------------------------------------------------
>
>                       socket options = TCP_NODELAY IPTOS_LOWDELAY
>                       #Zeit zur Unterbrechung der Verbindung
>                     Server-Client bei Verlust des
>                     Clients
>                       deadtime = 10
>                       #getwd cache = yes
>                       #kernel oplocks = no
>                       ldap suffix =
>                       log level = 1
>                         #Sonstiger Mist
>                       #include = /etc/samba/dhcp.conf
>                       dos charset = CP850
>                       display charset = ISO8859-1
>                       unix charset = ISO8859-1
>                       #oplock break wait time = 20
>                       #oplocks = no
>                       #kernel oplocks = no
>
>                       #---- Zeit-Server
>                     ----------------------------------------------------------
>                       time server = true
>
>                     ###################################
>                     # Anmeldung Freigaben #############
>                     ###################################
>
>                     [homes]
>                       comment = Home Directories
>                       valid users = %S, %D%w%S
>                       browseable = No
>                       read only = No
>                       inherit acls = Yes
>                       create mask = 0664
>                       directory mask = 0775
>
>                     [profiles]
>                       comment = Network Profiles Service
>                       path = /home/samba/windowsprofiles
>                       hide files = /desktop.ini/
>                       read only = No
>                       browseable = No
>                       guest ok = Yes
>                       writable = Yes
>                       printable = No
>                       store dos attributes = Yes
>                       create mask = 0700
>                       directory mask = 0700
>
>                      [netlogon]
>                       comment = Network Logon Service2
>                       path = /home/samba/netlogon/%g
>                       guest ok = Yes
>                       browseable = No
>                       read only = No
>                       writable = Yes
>
>
>                     ###################################
>                     # Freigaben #######################
>                     ###################################
>                     ...
>
>
>
>
>                     Marcelo Terres schrieb:
>
>                      Hi.
>
>                         I enabled policies with pdbedit. Password must
>                         be changed every 90 days
>                         and
>                         must contain at least 8 characters. I enabled
>                         password history too.
>
>                         After that (I tried it in samba 3.4.3 and
>                         3.0.25 with same behaviour)
>                         every
>                         time a user try to log in the domain using
>                         Windows receives a "Your
>                         password
>                         expires today. Do you want to change it now ?"
>                         message box. If the
>                         password
>                         is changed, the message appear again next time
>                         the user try to login. If
>                         the
>                         user answers no the same thing happens in the
>                         next login.
>
>                         I tested it with a lot of users and changed
>                         the passwords several times
>                         and
>                         the problem continues.
>
>                         Anybody have some idea about this problem ?
>
>                         Thanks in advance.
>
>                         Regards,
>
>                         Marcelo H. Terres
>                         mhterres at gmail.com <mailto:mhterres at gmail.com>
>                         ****************************************
>                         ICQ: 6649932
>                         MSN: mhterres at hotmail.com
>                         <mailto:mhterres at hotmail.com>
>                         Jabber: mhterres at jabber.org
>                         <mailto:mhterres at jabber.org>
>                         http://twitter.com/mhterres
>                         http://identi.ca/mhterres
>                         ****************************************
>                         http://mundoopensource.blogspot.com/
>                         http://www.propus.com.br
>                         Sent from Porto Alegre, RS, Brazil
>
>
>
>                     -- 
>                     To unsubscribe from this list go to the following
>                     URL and read the
>                     instructions:
>                     https://lists.samba.org/mailman/options/samba
>
>
>
>     -- 
>     To unsubscribe from this list go to the following URL and read the
>     instructions: https://lists.samba.org/mailman/options/samba
>
>
>
>
>
> Marcelo H. Terres
> mhterres at gmail.com <mailto:mhterres at gmail.com>
> ****************************************
> ICQ: 6649932
> MSN: mhterres at hotmail.com <mailto:mhterres at hotmail.com>
> Jabber: mhterres at jabber.org <mailto:mhterres at jabber.org>
> http://twitter.com/mhterres
> http://identi.ca/mhterres
> ****************************************
> http://mundoopensource.blogspot.com/
> http://www.propus.com.br
>


More information about the samba mailing list