[Samba] Some hint reading password expiration data...
Marco Gaiarin
gaio at sv.lnf.it
Fri Oct 20 14:55:05 UTC 2017
In my current ''production'' NT-like domain (samba 4.2, OpenLDAP
backend), password policies seems to ''get written'' to user data.
EG, if i set:
pdbedit -P "maximum password age" -C 7776000
and i change my password, 'Password must change' have a meningful value,
eg 90 days more then the last password change:
root at armitage:~# pdbedit -v gaio
Unix username: gaio
NT username: gaio
Account Flags: [U ]
User SID: S-1-5-21-1458177777-355997386-270368766-1087
Primary Group SID: S-1-5-21-1458177777-355997386-270368766-1009
Full Name: Marco Gaiarin
Home Directory: \\ARMITAGE\gaio
HomeDir Drive: p:
Logon Script: startup.bat
Profile Path: \\ARMITAGE\profiles\gaio
Domain: SANVITO
Account desc:
Workstations:
Munged dial:
Logon time: mer, 18 ott 2017 11:43:42 CEST
Logoff time: gio, 14 lug 2005 16:27:33 CEST
Kickoff time: 0
Password last set: mer, 18 ott 2017 11:42:12 CEST
Password can change: mer, 18 ott 2017 11:42:12 CEST
Password must change: mar, 16 gen 2018 10:42:12 CET
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
But in the new 'AD' domain i'm setting up, seems that things does not
work like this.
If i set the same policy:
samba-tool domain passwordsettings set --max-pwd-age=90
and i chage the password, i get:
root at vdcsv1:~# pdbedit -v gaio
Unix username: gaio
NT username:
Account Flags: [U ]
User SID: S-1-5-21-160080369-3601385002-3131615632-1105
Primary Group SID: S-1-5-21-160080369-3601385002-3131615632-513
Full Name: Marco Gaiarin
Home Directory:
HomeDir Drive: (null)
Logon Script:
Profile Path:
Domain:
Account desc: Marco Gaiarin
Workstations:
Munged dial:
Logon time: mar, 03 ott 2017 17:13:38 CEST
Logoff time: 0
Kickoff time: gio, 14 set 30828 04:48:05 CEST
Password last set: ven, 20 ott 2017 16:15:36 CEST
Password can change: ven, 20 ott 2017 16:15:36 CEST
Password must change: never
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
note the 'Password must change: never'.
This is ''normal'', eg password policies get applied without setting 'Password must
change:'? Or i'm missing something?
In another, more generic, way: how password policies are enforced?
I've noted that if i change a password with
'--must-change-at-next-login', i got a different value (0):
root at vdcsv1:~# samba-tool user setpassword --random-password --must-change-at-next-login --option="check password script"="" gaio
Changed password OK
root at vdcsv1:~# pdbedit -v gaio
Unix username: gaio
NT username:
Account Flags: [U ]
User SID: S-1-5-21-160080369-3601385002-3131615632-1105
Primary Group SID: S-1-5-21-160080369-3601385002-3131615632-513
Full Name: Marco Gaiarin
Home Directory:
HomeDir Drive: (null)
Logon Script:
Profile Path:
Domain:
Account desc: Marco Gaiarin
Workstations:
Munged dial:
Logon time: mar, 03 ott 2017 17:13:38 CEST
Logoff time: 0
Kickoff time: gio, 14 set 30828 04:48:05 CEST
Password last set: 0
Password can change: 0
Password must change: 0
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
and also if i set the 'cannot change password' flag:
root at vdcsv1:~# pdbedit --account-control="[X]" gaio
Unix username: gaio
NT username:
Account Flags: [UX ]
User SID: S-1-5-21-160080369-3601385002-3131615632-1105
Primary Group SID: S-1-5-21-160080369-3601385002-3131615632-513
Full Name: Marco Gaiarin
Home Directory:
HomeDir Drive: (null)
Logon Script:
Profile Path:
Domain:
Account desc: Marco Gaiarin
Workstations:
Munged dial:
Logon time: mar, 03 ott 2017 17:13:38 CEST
Logoff time: 0
Kickoff time: gio, 14 set 30828 04:48:05 CEST
Password last set: ven, 20 ott 2017 16:52:13 CEST
Password can change: ven, 20 ott 2017 16:52:13 CEST
Password must change: mar, 19 gen 2038 04:14:07 CET
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
so seems that 'Password must change' is used someway...
Thanks.
--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/
Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN)
marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797
Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
More information about the samba
mailing list