[Samba] Changing user account passwords using smbpasswd after password expiration

Yudai Yamagishi yummy at sfc.wide.ad.jp
Mon Oct 27 08:47:15 MDT 2014 

Hi,

I actually looked in to pdbedit -P before asking the question thus have some output
values of pdbedit pasted. Could you give me a hint on how I can accomplish what
I am trying to do?

I currently have “maximum password age” to 90 days which is enabling me to 
enforce 90 days expiration rule to the user accounts. By looking at the link 
you sent, I can’t find any options in pdbedit that would enable the users to change
passwords after password expiration. (“refuse machine password change" is
set to 0 so I don’t think this applies?)

Thanks!
Yudai Yamagishi

2014/10/26 7:23、Karel Lang AFD <lang at afd.cz> のメール:

> Hi,
> perhaps what you look for is 'pdbedit -P' for setting the domain password policies?
> 
> nice example http://www.agix.com.au/blog/?p=631
> 
> official samba page:
> http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/passdb.html#pdbeditthing
> 
> 
> cheers :]
> 
> On 10/25/2014 07:39 PM, Yudai Yamagishi wrote:
>> Hi Ricky,
>> 
>> Thanks for your response.
>> 
>> Do you know if there is any way I can make the account unable to login after X days
>> (= password expiration) but the password can be changed somehow for additional
>> Y days? So, the password expires after X days and the password can be changed
>> for (X + Y) days since the last password change.
>> 
>> Thanks!
>> Yudai Yamagishi
>> 
>> 2014/10/25 12:36、Ricky Nance <ricky.nance at gmail.com> のメール:
>> 
>>> Hi Yudai,
>>> 
>>> On Oct 24, 2014 12:51 AM, "Yudai Yamagishi" <yummy at sfc.wide.ad.jp> wrote:
>>>> 
>>>> Hello,
>>>> 
>>>> I’m currently having a problem where a non-root user can’t change his/her own
>>>> password using smbpasswd command after the password expiration and would
>>>> like to know how I could solve this problem.
>>> 
>>> I think this is expected behavior for all systems, I know for sure this is how a windows domain acts. Once the password is expired, the user shouldn't be able to access the system (to reset or otherwise).
>>> 
>>>> 
>>>> Currently, I have a samba server running on CentOS 6.5 with its passdb backend
>>>> configured to another LDAP server. The samba version I’m currently using is
>>>> samba-3.6.9-169 which should be the latest version provided by yum on CentOS 6.
>>>> The setup is working perfectly as it should except for the one issue I mentioned above,
>>>> which is, an user with expired password cannot change its own password using
>>>> smbpasswd command.
>>>> 
>>>> I currently have the following samba-related entries in each user in my LDAP database:
>>>> sambaLogonTime: 0
>>>> sambaLogoffTime: 2147483647
>>>> sambaKickoffTime: 2147483647
>>>> sambaPwdCanChange: 0
>>>> sambaPwdMustChange: 2147483647
>>>> sambaPwdLastSet: 1406347540
>>>> 
>>>> Also, I have sambaDomainName=WORKGROUP with entries like the following:
>>>> sambaMinPwdAge: 0
>>>> sambaPwdHistoryLength: 0
>>>> sambaMinPwdLength: 6
>>>> sambaLogonToChgPwd: 2
>>>> sambaLockoutDuration: 1
>>>> sambaMaxPwdAge: 7776000
>>>> sambaLockoutObservationWindow: 1
>>>> sambaLockoutThreshold: 5
>>>> 
>>>> With these settings pdbedit shows the following output:
>>>> # pdbedit -u USERNAME -v
>>>> Unix username:        USERNAME
>>>> NT username:          USERNAME
>>>> Account Flags:        [U          ]
>>>> User SID:             **DELETED**
>>>> Primary Group SID:    **DELETED**
>>>> Full Name:            USERNAME
>>>> Home Directory:
>>>> HomeDir Drive:        H:
>>>> Logon Script:         logon.bat
>>>> Profile Path:
>>>> Domain:               WORKGROUP
>>>> Account desc:
>>>> Workstations:
>>>> Munged dial:
>>>> Logon time:           0
>>>> Logoff time:          Tue, 19 Jan 2038 12:14:07 JST
>>>> Kickoff time:         Tue, 19 Jan 2038 12:14:07 JST
>>>> Password last set:    Sat, 26 Jul 2014 13:05:40 JST
>>>> Password can change:  Sat, 26 Jul 2014 13:05:40 JST
>>>> Password must change: Fri, 24 Oct 2014 13:05:40 JST
>>>> Last bad password   : 0
>>>> Bad password count  : 0
>>>> Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>>>> 
>>>> # pdbedit -P "maximum password age" -v
>>>> account policy "maximum password age" description: Maximum password age, in seconds (default: -1 => never expire passwords)
>>>> account policy "maximum password age" value is: 7776000
>>>> 
>>>> # pdbedit -P "minimum password age" -v
>>>> account policy "minimum password age" description: Minimal password age, in seconds (default: 0 => allow immediate password change)
>>>> account policy "minimum password age" value is: 0
>>>> 
>>>> # pdbedit -P "user must logon to change password" -v
>>>> account policy "user must logon to change password" description: Force Users to logon for password change (default: 0 => off, 2 => on)
>>>> account policy "user must logon to change password" value is: 2
>>>> 
>>>> # pdbedit -P "refuse machine password change" -v
>>>> account policy "refuse machine password change" description: Allow Machine Password changes (default: 0 => off)
>>>> account policy "refuse machine password change" value is: 0
>>>> 
>>>> When I run smbpasswd (smbpasswd -U USERNAME) from a non-root user, it dies with:
>>>> SPNEGO login failed: Password expired (shown when -D 10)
>>>> cli_init_creds: user  domain (shown when -D 10)
>>>> Failed to change password!
>>>> 
>>>> I can’t paste all the server logs here but the following log seem to be related (log level 50):
>>>> [2014/10/24 14:34:08.679682,  5] auth/check_samsec.c:165(logon_hours_ok)
>>>>  logon_hours_ok: user USERNAME allowed to logon at this time (Fri Oct 24 05:34:08 2014
>>>>  )
>>>> [2014/10/24 14:34:08.679736,  4] smbd/sec_ctx.c:214(push_sec_ctx)
>>>>  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
>>>> [2014/10/24 14:34:08.679773,  4] smbd/uid.c:460(push_conn_ctx)
>>>>  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
>>>> [2014/10/24 14:34:08.679809,  4] smbd/sec_ctx.c:314(set_sec_ctx)
>>>>  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
>>>> [2014/10/24 14:34:08.679845,  5] ../libcli/security/security_token.c:53(security_token_debug)
>>>>  Security token: (NULL)
>>>> [2014/10/24 14:34:08.679881,  5] auth/token_util.c:527(debug_unix_user_token)
>>>>  UNIX token of user 0
>>>>  Primary group is 0 and contains 0 supplementary groups
>>>> [2014/10/24 14:34:08.679942, 11] passdb/pdb_ldap.c:4040(ldapsam_get_account_policy)
>>>>  ldapsam_get_account_policy: got valid value from cache
>>>> [2014/10/24 14:34:08.679982,  4] smbd/sec_ctx.c:422(pop_sec_ctx)
>>>>  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
>>>> [2014/10/24 14:34:08.680020,  1] auth/check_samsec.c:224(sam_account_ok)
>>>>  sam_account_ok: Account for user 'USERNAME' password expired!
>>>> [2014/10/24 14:34:08.680062,  1] auth/check_samsec.c:225(sam_account_ok)
>>>>  sam_account_ok: Password expired at 'Fri, 24 Oct 2014 13:05:40 JST' (1414123540) unix time.
>>>> [2014/10/24 14:34:08.680108,  5] auth/auth.c:271(check_ntlm_password)
>>>>  check_ntlm_password: sam authentication for user [USERNAME] FAILED with error NT_STATUS_PASSWORD_EXPIRED
>>>> [2014/10/24 14:34:08.680152, 10] auth/auth_winbind.c:50(check_winbind_security)
>>>>  Check auth for: [USERNAME]
>>>> [2014/10/24 14:34:08.680188,  3] auth/auth_winbind.c:60(check_winbind_security)
>>>>  check_winbind_security: Not using winbind, requested domain [WORKGROUP] was for this SAM.
>>>> [2014/10/24 14:34:08.680223, 10] auth/auth.c:259(check_ntlm_password)
>>>>  check_ntlm_password: winbind had nothing to say
>>>> [2014/10/24 14:34:08.680260,  2] auth/auth.c:319(check_ntlm_password)
>>>>  check_ntlm_password:  Authentication for user [USERNAME] -> [USERNAME] FAILED with error NT_STATUS_PASSWORD_EXPIRED
>>>> [2014/10/24 14:34:08.680306,  3] smbd/error.c:81(error_packet_set)
>>>>  error packet at smbd/sesssetup.c(124) cmd=115 (SMBsesssetupX) NT_STATUS_PASSWORD_EXPIRED
>>>> 
>>>> 
>>>> The issue I’m having sounds like the bug mentioned in the bug report below:
>>>> https://bugzilla.samba.org/show_bug.cgi?id=4085
>>>> However, since I am running a version which should have the patch applied,
>>>> I don’t think this bug applies to my case.
>>>> 
>>>> So, can anyone shed some light on what’s going on here?
>>>> 
>>>> Best Regards,
>>>> Yudai Yamagishi
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>> 
>>> Hope that helps,
>>> Ricky
>>> 
>> 
> 
> 
> -- 
> *Karel Lang*
> *Unix/Linux Administration*
> lang at afd.cz | +420 731 13 40 40
> AUFEER DESIGN, s.r.o. | www.aufeerdesign.cz
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list