[Samba] Some hint reading password expiration data...

Tue Oct 24 17:13:10 UTC 2017

On Tue, 24 Oct 2017 18:37:09 +0200
Marco Gaiarin via samba <samba at lists.samba.org> wrote:

> Mandi! Rowland Penny via samba
>   In chel di` si favelave...
> 
> > The main problem here is that you are still looking at the problem
> > from the NT perpective,
> 
> Seems obvious to me. I came from 10+ years of experience on Samba3 NT
> domains, that indeed had excellent documentation and a more (for me)
> UNIX-minded approach.
> 
> I was (ab)used at samba tools (smbpasswd, pdbedit, wbinfo, ...), and i
> can see that many of them still work on AD mode.
> 
> Still, every tool do something a bit different of the others, and
> still some things cannot be done now by this tools, or by samba-tool
> that i suppose aim to substitute all of them.
> 
> I'm tring to understand, moving away from NT and jumping in AD. Sorry
> for my messages, but it is very hard to search for some info without
> clue...

No problem, as I keep saying, the only stupid question is the one you
don't ask ;-)

> 
> 
> 
> > 'accountExpires' has nothing to do with when the password
> > expires ;-)
> 
> I know. But in NT mode, samba (or was the smbldap-tools?) was used to
> write in 'accountExpires' explicitly, so i'm asking about it.

I never use pdbedit, so don't know how it works.

> 
> 
> > Setting 'userAccountControl' to 514, disables the account, it
> > doesn't do anything to the password.
> 
> Again i know that. I was asking effectively if 'pdbedit' is still an
> affordable tool to write account control in AD.

See here for info on 'userAccountControl':

https://support.microsoft.com/en-gb/help/305144/how-to-use-the-useraccountcontrol-flags-to-manipulate-user-account-pro

I believe pdbedit will do what you are asking, but as I don't use it, I
don't know how to.

> 
> > The one you need to
> > look at is 'pwdLastSet', this is used with 'maxPwdAge' to calculate
> > when the password expires.
> 
> Ok, i've found that attribute, on the 'root' of the LDAP tree; but i
> think, measurement unit apart, it is the same of:
> 
> 	root at vdcsv1:~# samba-tool domain passwordsettings show | grep
> ^Maximum Maximum password age (days): 90
> 
> right?

Somebody has changed it ;-)
The default is '42'

> 
> 
> > The easiest way to find info on this subject is to remember that you
> > are now using Active Directory and use this in an internet search,
> > along with 'pwdlastSet' and 'maxPwdAge', don't mention Samba in the
> > search.
> 
> Ok, good. But still i've not the answer of one of my question, indeed.
> 
> Password expiration are computed ''dynamically'' (now < pwdlastSet +
> maxPwdAge), or the value of password expiration (pwdlastSet +
> maxPwdAge) are saved (or accessible) somewhere?
> 

Good question, at the moment it is 'dynamic', but there is the
'msDS-UserPasswordExpiryTimeComputed' attribute but it doesn't seem to
be used yet Samba.

Rowland