[Samba] Some hint reading password expiration data...

Marco Gaiarin gaio at sv.lnf.it
Fri Oct 20 14:55:05 UTC 2017 

In my current ''production'' NT-like domain (samba 4.2, OpenLDAP
backend), password policies seems to ''get written'' to user data.

EG, if i set:

	pdbedit -P "maximum password age" -C 7776000

and i change my password, 'Password must change' have a meningful value,
eg 90 days more then the last password change:

 root at armitage:~# pdbedit -v gaio
 Unix username:        gaio
 NT username:          gaio
 Account Flags:        [U          ]
 User SID:             S-1-5-21-1458177777-355997386-270368766-1087
 Primary Group SID:    S-1-5-21-1458177777-355997386-270368766-1009
 Full Name:            Marco Gaiarin
 Home Directory:       \\ARMITAGE\gaio
 HomeDir Drive:        p:
 Logon Script:         startup.bat
 Profile Path:         \\ARMITAGE\profiles\gaio
 Domain:               SANVITO
 Account desc:         
 Workstations:         
 Munged dial:          
 Logon time:           mer, 18 ott 2017 11:43:42 CEST
 Logoff time:          gio, 14 lug 2005 16:27:33 CEST
 Kickoff time:         0
 Password last set:    mer, 18 ott 2017 11:42:12 CEST
 Password can change:  mer, 18 ott 2017 11:42:12 CEST
 Password must change: mar, 16 gen 2018 10:42:12 CET
 Last bad password   : 0
 Bad password count  : 0
 Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF


But in the new 'AD' domain i'm setting up, seems that things does not
work like this.

If i set the same policy:

	samba-tool domain passwordsettings set --max-pwd-age=90

and i chage the password, i get:

 root at vdcsv1:~# pdbedit -v gaio
 Unix username:        gaio
 NT username:          
 Account Flags:        [U          ]
 User SID:             S-1-5-21-160080369-3601385002-3131615632-1105
 Primary Group SID:    S-1-5-21-160080369-3601385002-3131615632-513
 Full Name:            Marco Gaiarin
 Home Directory:       
 HomeDir Drive:        (null)
 Logon Script:         
 Profile Path:         
 Domain:               
 Account desc:         Marco Gaiarin
 Workstations:         
 Munged dial:          
 Logon time:           mar, 03 ott 2017 17:13:38 CEST
 Logoff time:          0
 Kickoff time:         gio, 14 set 30828 04:48:05 CEST
 Password last set:    ven, 20 ott 2017 16:15:36 CEST
 Password can change:  ven, 20 ott 2017 16:15:36 CEST
 Password must change: never
 Last bad password   : 0
 Bad password count  : 0
 Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

note the 'Password must change: never'.


This is ''normal'', eg password policies get applied without setting 'Password must
change:'? Or i'm missing something?

In another, more generic, way: how password policies are enforced?


I've noted that if i change a password with
'--must-change-at-next-login', i got a different value (0):

 root at vdcsv1:~# samba-tool user setpassword --random-password --must-change-at-next-login --option="check password script"="" gaio
 Changed password OK
 root at vdcsv1:~# pdbedit -v gaio
 Unix username:        gaio
 NT username:          
 Account Flags:        [U          ]
 User SID:             S-1-5-21-160080369-3601385002-3131615632-1105
 Primary Group SID:    S-1-5-21-160080369-3601385002-3131615632-513
 Full Name:            Marco Gaiarin
 Home Directory:       
 HomeDir Drive:        (null)
 Logon Script:         
 Profile Path:         
 Domain:               
 Account desc:         Marco Gaiarin
 Workstations:         
 Munged dial:          
 Logon time:           mar, 03 ott 2017 17:13:38 CEST
 Logoff time:          0
 Kickoff time:         gio, 14 set 30828 04:48:05 CEST
 Password last set:    0
 Password can change:  0
 Password must change: 0
 Last bad password   : 0
 Bad password count  : 0
 Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

and also if i set the 'cannot change password' flag:

 root at vdcsv1:~# pdbedit --account-control="[X]" gaio
 Unix username:        gaio
 NT username:          
 Account Flags:        [UX         ]
 User SID:             S-1-5-21-160080369-3601385002-3131615632-1105
 Primary Group SID:    S-1-5-21-160080369-3601385002-3131615632-513
 Full Name:            Marco Gaiarin
 Home Directory:       
 HomeDir Drive:        (null)
 Logon Script:         
 Profile Path:         
 Domain:               
 Account desc:         Marco Gaiarin
 Workstations:         
 Munged dial:          
 Logon time:           mar, 03 ott 2017 17:13:38 CEST
 Logoff time:          0
 Kickoff time:         gio, 14 set 30828 04:48:05 CEST
 Password last set:    ven, 20 ott 2017 16:52:13 CEST
 Password can change:  ven, 20 ott 2017 16:52:13 CEST
 Password must change: mar, 19 gen 2038 04:14:07 CET
 Last bad password   : 0
 Bad password count  : 0
 Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

so seems that 'Password must change' is used someway...


Thanks.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

More information about the samba mailing list