[Samba] samba-tool user password/setpassword and password change timestamp...
Marco Gaiarin
gaio at sv.lnf.it
Mon Jun 18 10:42:20 UTC 2018
Ok, some more info. But still all situation is not clear.
I've setup a wrapper around 'check password script' (for my old NT like
domains) and 'samba-tool user syncpasswords' for my new AD domain.
In the ''consumer'' script in the AD side, that receive password from
NT domains, at the last i do:
samba-tool user setpassword <user> --option="check password script"="" --newpassword="NEWPass"
and effectively users get password propagated correctly.
But some users (roughly at least 50%, so seems not a ''glitch'') have
password changed BUT last password change not updated, so tipically
they login and the new domain ask for password change (or say that
account is disabled).
I've done some ''manual test'', and all seems to work as expected:
Initial:
Unix username: gaio
NT username:
Account Flags: [U ]
User SID: S-1-5-21-160080369-3601385002-3131615632-1105
Primary Group SID: S-1-5-21-160080369-3601385002-3131615632-513
Full Name: Marco Gaiarin
Home Directory: \\HOMESV\Users\gaio
HomeDir Drive: P:
Logon Script:
Profile Path: \\HOMESV\profiles\gaio
Domain:
Account desc: Marco Gaiarin
Workstations:
Munged dial:
Logon time: lun, 18 giu 2018 11:45:24 CEST
Logoff time: 0
Kickoff time: gio, 14 set 30828 04:48:05 CEST
Password last set: lun, 07 mag 2018 12:22:50 CEST
Password can change: lun, 07 mag 2018 12:22:50 CEST
Password must change: never
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
After a:
root at vdcsv1:~# samba-tool user setpassword gaio --option="check password script"="" --newpassword="NotThisPass"
Changed password OK
Now is:
Unix username: gaio
NT username:
Account Flags: [U ]
User SID: S-1-5-21-160080369-3601385002-3131615632-1105
Primary Group SID: S-1-5-21-160080369-3601385002-3131615632-513
Full Name: Marco Gaiarin
Home Directory: \\HOMESV\Users\gaio
HomeDir Drive: P:
Logon Script:
Profile Path: \\HOMESV\profiles\gaio
Domain:
Account desc: Marco Gaiarin
Workstations:
Munged dial:
Logon time: lun, 18 giu 2018 11:45:24 CEST
Logoff time: 0
Kickoff time: gio, 14 set 30828 04:48:05 CEST
Password last set: lun, 18 giu 2018 12:18:13 CEST
Password can change: lun, 18 giu 2018 12:18:13 CEST
Password must change: never
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
and also:
root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b "DC=ad,DC=fvg,DC=lnf,DC=it" "(sAMAccountName=gaio)" msDS-UserPasswordExpiryTimeComputed pwdLastSet | egrep '^(msDS-UserPasswordExpiryTimeCompu
pwdLastSet: 131737906930682280
msDS-UserPasswordExpiryTimeComputed: 131815666930682280
root at vdcsv1:~# bc
bc 1.06.95
Copyright 1991-1994, 1997, 1998, 2000, 2004, 2006 Free Software Foundation, Inc.
This is free software with ABSOLUTELY NO WARRANTY.
For details type `warranty'.
131815666930682280-131737906930682280
77760000000000
and matches.
How could be?! Thanks.
--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/
Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN)
marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797
Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
More information about the samba
mailing list