[Samba] Some hint reading password expiration data...

Marco Gaiarin gaio at sv.lnf.it
Mon Oct 23 14:52:05 UTC 2017 

Sorry, i came back on this, but:

> In another, more generic, way: how password policies are enforced?

still i need an answer on this question.


I've done some tests, using my account, that pdbedit say:

 root at vdcsv1:~# LANG=C pdbedit -v gaio
 Unix username:        gaio
 NT username:          
 Account Flags:        [U          ]
 User SID:             S-1-5-21-160080369-3601385002-3131615632-1105
 Primary Group SID:    S-1-5-21-160080369-3601385002-3131615632-513
 Full Name:            Marco Gaiarin
 Home Directory:       
 HomeDir Drive:        (null)
 Logon Script:         
 Profile Path:         
 Domain:               
 Account desc:         Marco Gaiarin
 Workstations:         
 Munged dial:          
 Logon time:           Tue, 03 Oct 2017 17:13:38 CEST
 Logoff time:          0
 Kickoff time:         Thu, 14 Sep 30828 04:48:05 CEST
 Password last set:    Fri, 20 Oct 2017 16:52:13 CEST
 Password can change:  Fri, 20 Oct 2017 16:52:13 CEST
 Password must change: never
 Last bad password   : 0
 Bad password count  : 0
 Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

and looking at my account (and with a bit of google ;-) i've found that,
for example, password last set in LDAP is OK (minus a year, i've not understood
why):

 root at vdcsv1:~# LANG=C date --date="@$(( ($(ldbsearch -H /var/lib/samba/private/sam.ldb -b 'DC=ad,DC=fvg,DC=lnf,DC=it' '(cn=gaio)' | grep '^pwdLastSet:' | cut -d ' ' -f 2) / 10000000) - 11676009600 ))"
 Thu Oct 20 16:52:13 CEST 2016

If i try to do the same with 'accountExpires':

 root at vdcsv1:~# LANG=C date --date="@$(( ($(ldbsearch -H /var/lib/samba/private/sam.ldb -b 'DC=ad,DC=fvg,DC=lnf,DC=it' '(cn=gaio)' | grep '^accountExpires:' | cut -d ' ' -f 2) / 10000000) - 11676009600 ))"
 Wed Sep 15 04:48:05 CEST 30827

but google say me:
	https://msdn.microsoft.com/en-us/library/ms675098%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396

and:
	root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b 'DC=ad,DC=fvg,DC=lnf,DC=it' '(cn=gaio)' | grep '^accountExpires:' | cut -d ' ' -f 2
	9223372036854775807

so 'account never expires' matches with 'never'.


Also, if i look at 'userAccountControl' i found 512 as a value:
	root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b 'DC=ad,DC=fvg,DC=lnf,DC=it' '(cn=gaio)' | grep '^userAccountControl:' | cut -d ' ' -f 2
	512

so 0x200 (ADS_UF_NORMAL_ACCOUNT as stated by
https://msdn.microsoft.com/en-us/library/ms680832(v=vs.85).aspx).

If i disable it:
	root at vdcsv1:~# pdbedit --account-control="[D]" gaio
	[...]
	Account Flags:        [DU         ]
	[...]
	root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b 'DC=ad,DC=fvg,DC=lnf,DC=it' '(cn=gaio)' | grep '^userAccountControl:' | cut -d ' ' -f 2
	514

so 0x200 + 0x2, ADS_UF_NORMAL_ACCOUNT && ADS_UF_ACCOUNTDISABLE.

If i set 'do not expire':
	root at vdcsv1:~# pdbedit --account-control="[X]" gaio
	[...]
	Account Flags:        [UX         ]
	[...]
	root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b 'DC=ad,DC=fvg,DC=lnf,DC=it' '(cn=gaio)' | grep '^userAccountControl:' | cut -d ' ' -f 2
	66048

so again 0x200 + 0x10000, ADS_UF_NORMAL_ACCOUNT && ADS_UF_DONT_EXPIRE_PASSWD.

So, seems to me that 'pdbedit' is still a useful and coherent tool to
set account flags.



With these experiments, i split my question in two part:


1) considering that 'accountExpires' probably is here for other things
 (eg, setting an account expiration ''per se'', not for setting
*password* expiration...), password expiration policy are enforced
''automatically'' using last password change and policy value?!
In other way: to have the password expiration date, i've to
''manually'' compute the date adding the policy days to the last
password set date?
Supposing i'm not using (only) ''default'' password policy, but i use
different password policies for different OUs (in GPOs), how can i
determine the 'max-pwd-age' policy value from GPOs?

2) as seems to be, 'pdbedit' is still a valuable tool to handle this
 things (eg, read password dates and setting account flags)?


Thanks.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

More information about the samba mailing list