[Samba] samba-tool user password/setpassword and password change timestamp...

Marco Gaiarin gaio at sv.lnf.it
Mon Jun 18 10:42:20 UTC 2018


Ok, some more info. But still all situation is not clear.

I've setup a wrapper around 'check password script' (for my old NT like
domains) and 'samba-tool user syncpasswords' for my new AD domain.

In the ''consumer'' script in the AD side, that receive password from
NT domains, at the last i do:

	samba-tool user setpassword <user> --option="check password script"="" --newpassword="NEWPass"

and effectively users get password propagated correctly.

But some users (roughly at least 50%, so seems not a ''glitch'') have
password changed BUT last password change not updated, so tipically
they login and the new domain ask for password change (or say that
account is disabled).


I've done some ''manual test'', and all seems to work as expected:

Initial:
 Unix username:        gaio
 NT username: 
 Account Flags:        [U          ]
 User SID:             S-1-5-21-160080369-3601385002-3131615632-1105
 Primary Group SID:    S-1-5-21-160080369-3601385002-3131615632-513
 Full Name:            Marco Gaiarin
 Home Directory:       \\HOMESV\Users\gaio
 HomeDir Drive:        P:
 Logon Script:         
 Profile Path:         \\HOMESV\profiles\gaio
 Domain:               
 Account desc:         Marco Gaiarin
 Workstations:          
 Munged dial:           
 Logon time:           lun, 18 giu 2018 11:45:24 CEST
 Logoff time:          0
 Kickoff time:         gio, 14 set 30828 04:48:05 CEST
 Password last set:    lun, 07 mag 2018 12:22:50 CEST
 Password can change:  lun, 07 mag 2018 12:22:50 CEST
 Password must change: never
 Last bad password   : 0   
 Bad password count  : 0
 Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

After a:
 root at vdcsv1:~# samba-tool user setpassword gaio --option="check password script"="" --newpassword="NotThisPass"
 Changed password OK
Now is:
 Unix username:        gaio
 NT username: 
 Account Flags:        [U          ]
 User SID:             S-1-5-21-160080369-3601385002-3131615632-1105
 Primary Group SID:    S-1-5-21-160080369-3601385002-3131615632-513
 Full Name:            Marco Gaiarin
 Home Directory:       \\HOMESV\Users\gaio
 HomeDir Drive:        P:
 Logon Script:
 Profile Path:         \\HOMESV\profiles\gaio
 Domain:               
 Account desc:         Marco Gaiarin
 Workstations:          
 Munged dial:           
 Logon time:           lun, 18 giu 2018 11:45:24 CEST
 Logoff time:          0
 Kickoff time:         gio, 14 set 30828 04:48:05 CEST
 Password last set:    lun, 18 giu 2018 12:18:13 CEST
 Password can change:  lun, 18 giu 2018 12:18:13 CEST   
 Password must change: never
 Last bad password   : 0
 Bad password count  : 0
 Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
and also:
 root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b "DC=ad,DC=fvg,DC=lnf,DC=it" "(sAMAccountName=gaio)" msDS-UserPasswordExpiryTimeComputed pwdLastSet | egrep '^(msDS-UserPasswordExpiryTimeCompu
 pwdLastSet: 131737906930682280
 msDS-UserPasswordExpiryTimeComputed: 131815666930682280
 root at vdcsv1:~# bc
 bc 1.06.95
 Copyright 1991-1994, 1997, 1998, 2000, 2004, 2006 Free Software Foundation, Inc.
 This is free software with ABSOLUTELY NO WARRANTY.
 For details type `warranty'. 
 131815666930682280-131737906930682280
 77760000000000
and matches.


How could be?! Thanks.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)



More information about the samba mailing list