[Samba] Some hint reading password expiration data...
Marco Gaiarin
gaio at sv.lnf.it
Mon Oct 23 14:52:05 UTC 2017
Sorry, i came back on this, but:
> In another, more generic, way: how password policies are enforced?
still i need an answer on this question.
I've done some tests, using my account, that pdbedit say:
root at vdcsv1:~# LANG=C pdbedit -v gaio
Unix username: gaio
NT username:
Account Flags: [U ]
User SID: S-1-5-21-160080369-3601385002-3131615632-1105
Primary Group SID: S-1-5-21-160080369-3601385002-3131615632-513
Full Name: Marco Gaiarin
Home Directory:
HomeDir Drive: (null)
Logon Script:
Profile Path:
Domain:
Account desc: Marco Gaiarin
Workstations:
Munged dial:
Logon time: Tue, 03 Oct 2017 17:13:38 CEST
Logoff time: 0
Kickoff time: Thu, 14 Sep 30828 04:48:05 CEST
Password last set: Fri, 20 Oct 2017 16:52:13 CEST
Password can change: Fri, 20 Oct 2017 16:52:13 CEST
Password must change: never
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
and looking at my account (and with a bit of google ;-) i've found that,
for example, password last set in LDAP is OK (minus a year, i've not understood
why):
root at vdcsv1:~# LANG=C date --date="@$(( ($(ldbsearch -H /var/lib/samba/private/sam.ldb -b 'DC=ad,DC=fvg,DC=lnf,DC=it' '(cn=gaio)' | grep '^pwdLastSet:' | cut -d ' ' -f 2) / 10000000) - 11676009600 ))"
Thu Oct 20 16:52:13 CEST 2016
If i try to do the same with 'accountExpires':
root at vdcsv1:~# LANG=C date --date="@$(( ($(ldbsearch -H /var/lib/samba/private/sam.ldb -b 'DC=ad,DC=fvg,DC=lnf,DC=it' '(cn=gaio)' | grep '^accountExpires:' | cut -d ' ' -f 2) / 10000000) - 11676009600 ))"
Wed Sep 15 04:48:05 CEST 30827
but google say me:
https://msdn.microsoft.com/en-us/library/ms675098%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396
and:
root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b 'DC=ad,DC=fvg,DC=lnf,DC=it' '(cn=gaio)' | grep '^accountExpires:' | cut -d ' ' -f 2
9223372036854775807
so 'account never expires' matches with 'never'.
Also, if i look at 'userAccountControl' i found 512 as a value:
root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b 'DC=ad,DC=fvg,DC=lnf,DC=it' '(cn=gaio)' | grep '^userAccountControl:' | cut -d ' ' -f 2
512
so 0x200 (ADS_UF_NORMAL_ACCOUNT as stated by
https://msdn.microsoft.com/en-us/library/ms680832(v=vs.85).aspx).
If i disable it:
root at vdcsv1:~# pdbedit --account-control="[D]" gaio
[...]
Account Flags: [DU ]
[...]
root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b 'DC=ad,DC=fvg,DC=lnf,DC=it' '(cn=gaio)' | grep '^userAccountControl:' | cut -d ' ' -f 2
514
so 0x200 + 0x2, ADS_UF_NORMAL_ACCOUNT && ADS_UF_ACCOUNTDISABLE.
If i set 'do not expire':
root at vdcsv1:~# pdbedit --account-control="[X]" gaio
[...]
Account Flags: [UX ]
[...]
root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b 'DC=ad,DC=fvg,DC=lnf,DC=it' '(cn=gaio)' | grep '^userAccountControl:' | cut -d ' ' -f 2
66048
so again 0x200 + 0x10000, ADS_UF_NORMAL_ACCOUNT && ADS_UF_DONT_EXPIRE_PASSWD.
So, seems to me that 'pdbedit' is still a useful and coherent tool to
set account flags.
With these experiments, i split my question in two part:
1) considering that 'accountExpires' probably is here for other things
(eg, setting an account expiration ''per se'', not for setting
*password* expiration...), password expiration policy are enforced
''automatically'' using last password change and policy value?!
In other way: to have the password expiration date, i've to
''manually'' compute the date adding the policy days to the last
password set date?
Supposing i'm not using (only) ''default'' password policy, but i use
different password policies for different OUs (in GPOs), how can i
determine the 'max-pwd-age' policy value from GPOs?
2) as seems to be, 'pdbedit' is still a valuable tool to handle this
things (eg, read password dates and setting account flags)?
Thanks.
--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/
Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN)
marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797
Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
More information about the samba
mailing list