[Samba] Password policy for user-managed passwords

Fri Oct 29 20:01:04 UTC 2021

On Fri, Oct 29, 2021 at 3:21 PM Philippe LeCavalier via samba
<samba at lists.samba.org> wrote:
>
> On Sun, Jul 18, 2021 at 10:21 AM Rowland Penny via samba <
> samba at lists.samba.org> wrote:
>
> > On Sun, 2021-07-18 at 09:56 -0400, Philippe LeCavalier wrote:
> > >
> > > >
> > > > You can force a user to change their password by resetting it with:
> > > >
> > > > samba-tool user setpassword User1 --newpassword=passw0rd --must-
> > > > change-
> > > > at-next-login
> > > > This implies I have to set a password that I would provide to them
> > > > before they can set a new one if I'm reading that correctly? How
> > > > would I apply that domain wide?
> >
> > I would only do this for individual users or new users. I suppose you
> > could write a script to do it, randomly create a password and use that,
> > the problem would be in getting the interim password to the user, but
> > you never know, someone may have an idea how to this.
> >
> > > > There are a couple of attributes that need changing,
> > > > userAccountControl
> > > > and accountExpires
> > > >
> > > > If 'accountExpires' isn't set, then the password will expire on the
> > > > day
> > > > shown by the first samba-tool command above. A value of 0 or
> > > > 9223372036854775807 indicates that the account never expires.
> > > >
> > > > You can set the password expiry with:
> > > > samba-tool user setexpiry
> > > > Yes. This is the setting I typically set to 0.
> > > >
> > > > Add '--help' to the above command for more info.
> > > >
> > > > Rowland
> > > > I'm still uncertain how I transition smoothly. If I set the
> > > > password to expire after 1 day will they be prompted to change it
> > > > or will their account be disabled per the wording for that option?
> >
> > The 'prompting' is down to the display manager, it should prompt the
> > user to change their password, it should prompt well before the
> > password expires, so I wouldn't use 1 day.
> >
> > > > If the first users to change their password change it within a few
> > > > hours but the others take a week won't the ones that change it be
> > > > forced to change every day untill the slowest tell me they've
> > > > completed the task and I can change the policy to 60 or 90?
> >
> > It doesn't work that way, if you set expiry to 1 day, then that is when
> > the password will expire, so if the users do not change their passwords
> > before the end of the day, then any passwords not changed will expire
> > and those users will not be able login. You are correct about the users
> > having to change their passwords everyday, that is yet another reason
> > to not use 1 day.
> >
> > > > Also, you mentioned 'userAccountControl' needed changing but you
> > > > didn't elaborate.
> >
> > Sorry, if you use samba-tool to set a users expiry, then that attribute
> > is set for you. To understand 'userAccountControl', try reading this:
> >
> > https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties
> >
> > Rowland
> >
>
> Working on implementing this and I'm at the stage where I've enabled (but
> not forced) self managed password. In other words, I have not set
> an expiration but users should be able to change their passwords. With my
> admin account and a test user account everything works: I create the user,
> login with the temp password, change the password and it works. But when
> existing users of the network try, they get an 'access denied'. I looked
> around and can't find much other than the possibility that a GPO with min
> passwd age might be preventing the change. Before I go unnecessarily
> messing with GPOs I thought I'd ask here. I'm wondering if perhaps this
> might be a terminal services issue?

Maybe not even a GPO, but just a domain password policy.

Run this on the domain controller:

    $ sudo samba-tool domain passwordsettings show

and look for "Minimum password age (days)"