[Samba] Password policy for user-managed passwords

Fri Oct 29 19:20:14 UTC 2021

On Sun, Jul 18, 2021 at 10:21 AM Rowland Penny via samba <
samba at lists.samba.org> wrote:

> On Sun, 2021-07-18 at 09:56 -0400, Philippe LeCavalier wrote:
> >
> > >
> > > You can force a user to change their password by resetting it with:
> > >
> > > samba-tool user setpassword User1 --newpassword=passw0rd --must-
> > > change-
> > > at-next-login
> > > This implies I have to set a password that I would provide to them
> > > before they can set a new one if I'm reading that correctly? How
> > > would I apply that domain wide?
>
> I would only do this for individual users or new users. I suppose you
> could write a script to do it, randomly create a password and use that,
> the problem would be in getting the interim password to the user, but
> you never know, someone may have an idea how to this.
>
> > > There are a couple of attributes that need changing,
> > > userAccountControl
> > > and accountExpires
> > >
> > > If 'accountExpires' isn't set, then the password will expire on the
> > > day
> > > shown by the first samba-tool command above. A value of 0 or
> > > 9223372036854775807 indicates that the account never expires.
> > >
> > > You can set the password expiry with:
> > > samba-tool user setexpiry
> > > Yes. This is the setting I typically set to 0.
> > >
> > > Add '--help' to the above command for more info.
> > >
> > > Rowland
> > > I'm still uncertain how I transition smoothly. If I set the
> > > password to expire after 1 day will they be prompted to change it
> > > or will their account be disabled per the wording for that option?
>
> The 'prompting' is down to the display manager, it should prompt the
> user to change their password, it should prompt well before the
> password expires, so I wouldn't use 1 day.
>
> > > If the first users to change their password change it within a few
> > > hours but the others take a week won't the ones that change it be
> > > forced to change every day untill the slowest tell me they've
> > > completed the task and I can change the policy to 60 or 90?
>
> It doesn't work that way, if you set expiry to 1 day, then that is when
> the password will expire, so if the users do not change their passwords
> before the end of the day, then any passwords not changed will expire
> and those users will not be able login. You are correct about the users
> having to change their passwords everyday, that is yet another reason
> to not use 1 day.
>
> > > Also, you mentioned 'userAccountControl' needed changing but you
> > > didn't elaborate.
>
> Sorry, if you use samba-tool to set a users expiry, then that attribute
> is set for you. To understand 'userAccountControl', try reading this:
>
> https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties
>
> Rowland
>

Working on implementing this and I'm at the stage where I've enabled (but
not forced) self managed password. In other words, I have not set
an expiration but users should be able to change their passwords. With my
admin account and a test user account everything works: I create the user,
login with the temp password, change the password and it works. But when
existing users of the network try, they get an 'access denied'. I looked
around and can't find much other than the possibility that a GPO with min
passwd age might be preventing the change. Before I go unnecessarily
messing with GPOs I thought I'd ask here. I'm wondering if perhaps this
might be a terminal services issue?