[Samba] Some hint reading password expiration data...

Rowland Penny rpenny at samba.org
Mon Oct 23 16:07:55 UTC 2017 

On Mon, 23 Oct 2017 16:52:05 +0200
Marco Gaiarin via samba <samba at lists.samba.org> wrote:

> 
> Sorry, i came back on this, but:
> 
> > In another, more generic, way: how password policies are enforced?
> 
> still i need an answer on this question.
> 
> 
> I've done some tests, using my account, that pdbedit say:
> 
>  root at vdcsv1:~# LANG=C pdbedit -v gaio
>  Unix username:        gaio
>  NT username:          
>  Account Flags:        [U          ]
>  User SID:             S-1-5-21-160080369-3601385002-3131615632-1105
>  Primary Group SID:    S-1-5-21-160080369-3601385002-3131615632-513
>  Full Name:            Marco Gaiarin
>  Home Directory:       
>  HomeDir Drive:        (null)
>  Logon Script:         
>  Profile Path:         
>  Domain:               
>  Account desc:         Marco Gaiarin
>  Workstations:         
>  Munged dial:          
>  Logon time:           Tue, 03 Oct 2017 17:13:38 CEST
>  Logoff time:          0
>  Kickoff time:         Thu, 14 Sep 30828 04:48:05 CEST
>  Password last set:    Fri, 20 Oct 2017 16:52:13 CEST
>  Password can change:  Fri, 20 Oct 2017 16:52:13 CEST
>  Password must change: never
>  Last bad password   : 0
>  Bad password count  : 0
>  Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
> 
> and looking at my account (and with a bit of google ;-) i've found
> that, for example, password last set in LDAP is OK (minus a year,
> i've not understood why):
> 
>  root at vdcsv1:~# LANG=C date --date="@$(( ($(ldbsearch
> -H /var/lib/samba/private/sam.ldb -b 'DC=ad,DC=fvg,DC=lnf,DC=it'
> '(cn=gaio)' | grep '^pwdLastSet:' | cut -d ' ' -f 2) / 10000000) -
> 11676009600 ))" Thu Oct 20 16:52:13 CEST 2016
> 
> If i try to do the same with 'accountExpires':
> 
>  root at vdcsv1:~# LANG=C date --date="@$(( ($(ldbsearch
> -H /var/lib/samba/private/sam.ldb -b 'DC=ad,DC=fvg,DC=lnf,DC=it'
> '(cn=gaio)' | grep '^accountExpires:' | cut -d ' ' -f 2) / 10000000)
> - 11676009600 ))" Wed Sep 15 04:48:05 CEST 30827
> 
> but google say me:
> 	https://msdn.microsoft.com/en-us/library/ms675098%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396
> 
> and:
> 	root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b
> 'DC=ad,DC=fvg,DC=lnf,DC=it' '(cn=gaio)' | grep '^accountExpires:' |
> cut -d ' ' -f 2 9223372036854775807
> 
> so 'account never expires' matches with 'never'.
> 
> 
> Also, if i look at 'userAccountControl' i found 512 as a value:
> 	root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b
> 'DC=ad,DC=fvg,DC=lnf,DC=it' '(cn=gaio)' | grep '^userAccountControl:'
> | cut -d ' ' -f 2 512
> 
> so 0x200 (ADS_UF_NORMAL_ACCOUNT as stated by
> https://msdn.microsoft.com/en-us/library/ms680832(v=vs.85).aspx).
> 
> If i disable it:
> 	root at vdcsv1:~# pdbedit --account-control="[D]" gaio
> 	[...]
> 	Account Flags:        [DU         ]
> 	[...]
> 	root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b
> 'DC=ad,DC=fvg,DC=lnf,DC=it' '(cn=gaio)' | grep '^userAccountControl:'
> | cut -d ' ' -f 2 514
> 
> so 0x200 + 0x2, ADS_UF_NORMAL_ACCOUNT && ADS_UF_ACCOUNTDISABLE.
> 
> If i set 'do not expire':
> 	root at vdcsv1:~# pdbedit --account-control="[X]" gaio
> 	[...]
> 	Account Flags:        [UX         ]
> 	[...]
> 	root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b
> 'DC=ad,DC=fvg,DC=lnf,DC=it' '(cn=gaio)' | grep '^userAccountControl:'
> | cut -d ' ' -f 2 66048
> 
> so again 0x200 + 0x10000, ADS_UF_NORMAL_ACCOUNT &&
> ADS_UF_DONT_EXPIRE_PASSWD.
> 
> So, seems to me that 'pdbedit' is still a useful and coherent tool to
> set account flags.
> 
> 
> 
> With these experiments, i split my question in two part:
> 
> 
> 1) considering that 'accountExpires' probably is here for other things
>  (eg, setting an account expiration ''per se'', not for setting
> *password* expiration...), password expiration policy are enforced
> ''automatically'' using last password change and policy value?!
> In other way: to have the password expiration date, i've to
> ''manually'' compute the date adding the policy days to the last
> password set date?
> Supposing i'm not using (only) ''default'' password policy, but i use
> different password policies for different OUs (in GPOs), how can i
> determine the 'max-pwd-age' policy value from GPOs?
> 
> 2) as seems to be, 'pdbedit' is still a valuable tool to handle this
>  things (eg, read password dates and setting account flags)?
> 
> 
> Thanks.
> 

The main problem here is that you are still looking at the problem from
the NT perpective, 'accountExpires' has nothing to do with when the
password expires ;-)

Setting 'userAccountControl' to 514, disables the account, it doesn't
do anything to the password.

There are a few attributes in play here, one of which you haven't
mentioned: 'ms-DS-User-Account-Control-Computed'. The one you need to
look at is 'pwdLastSet', this is used with 'maxPwdAge' to calculate
when the password expires.

The easiest way to find info on this subject is to remember that you
are now using Active Directory and use this in an internet search,
along with 'pwdlastSet' and 'maxPwdAge', don't mention Samba in the
search.

Rowland

More information about the samba mailing list