[Samba] Password Expiration setting and manually adjusting the date

Philippe LeCavalier support at plecavalier.com
Wed Jun 8 19:10:09 UTC 2022 

On Wed, Jun 8, 2022 at 4:36 AM L. van Belle via samba <samba at lists.samba.org>
wrote:

> I suggest, increase the debug level, see that happening when users change a
> password.
> And tell us which samba version and OS your using, add the content of
> smb.conf
>
> That's pretty important.

I was asking if it is expected behaviour. I suppose I could interpret you
asking for this information as confirmation that it is not expected...

>
>
> This one might help out.
> sudo samba-tool domain passwordsettings
>
 plecavalier# samba-tool domain passwordsettings show
Password information for domain 'DC=intranet,DC=domain,DC=ca'
Password complexity: on
Store plaintext passwords: off
Password history length: 24
Minimum password length: 6
Minimum password age (days): 0
Maximum password age (days): 0
Account lockout duration (mins): 30
Account lockout threshold (attempts): 0
Reset account lockout after (mins): 15

plecavalier# uname -ar
Linux piwc11 5.10.0-13-amd64 #1 SMP Debian 5.10.106-1 (2022-03-17) x86_64
GNU/Linux

plecavalier# dpkg -l | grep samba
ii  python3-samba                  2:4.13.13+dfsg-1~deb11u3       amd64
   Python 3 bindings for Samba
ii  samba                          2:4.13.13+dfsg-1~deb11u3       amd64
   SMB/CIFS file, print, and login server for Unix
ii  samba-common                   2:4.13.13+dfsg-1~deb11u3       all
   common files used by both the Samba server and client
ii  samba-common-bin               2:4.13.13+dfsg-1~deb11u3       amd64
   Samba common files used by both the server and the client
ii  samba-dsdb-modules:amd64       2:4.13.13+dfsg-1~deb11u3       amd64
   Samba Directory Services Database
ii  samba-libs:amd64               2:4.13.13+dfsg-1~deb11u3       amd64
   Samba core libraries
ii  samba-vfs-modules:amd64        2:4.13.13+dfsg-1~deb11u3       amd64
   Samba Virtual FileSystem plugins
plecavalier# dpkg -l | grep winbind
ii  libnss-winbind:amd64           2:4.13.13+dfsg-1~deb11u3       amd64
   Samba nameservice integration plugins
ii  libpam-winbind:amd64           2:4.13.13+dfsg-1~deb11u3       amd64
   Windows domain authentication integration plugin
ii  libwbclient0:amd64             2:4.13.13+dfsg-1~deb11u3       amd64
   Samba winbind client library
ii  winbind                        2:4.13.13+dfsg-1~deb11u3       amd64
   service to resolve user and group information from Windows NT servers

plecavalier# cat /etc/samba/smb.conf
# Global parameters
[global]
workgroup = INTRANET
realm = INTRANET.DOMAIN.CA
netbios name = DC11
server role = active directory domain controller
dns forwarder = 8.8.8.8
idmap_ldb:use rfc2307 = yes
bind interfaces only = yes

[netlogon]
path = /var/lib/samba/sysvol/intranet.domain.ca/scripts
read only = No

[sysvol]
path = /var/lib/samba/sysvol
read only = No

[profiles]
path = /data/profiles
read only = no

>
> Greetz,
>
> Louis
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba <samba-bounces at lists.samba.org> Namens Philippe LeCavalier
> > via samba
> > Verzonden: woensdag 8 juni 2022 03:05
> > Aan: samba <samba at lists.samba.org>
> > Onderwerp: Re: [Samba] Password Expiration setting and manually adjusting
> > the date
> >
> > On Tue, Jun 7, 2022 at 10:21 AM Philippe LeCavalier
> > <support at plecavalier.com>
> > wrote:
> >
> > > Hi,
> > > Does anyone have experience with having a password expiration (say 60
> > > days) and manually adjusting a user's expiration date?
> > >
> > > I've got several domains all of which have a 90 day expiration in
> ad-dc.
> > > Frequently, users forget to change it and get locked out. I find that
> > > when I postpone the expiration by adjusting the date (either in RSAT
> > > or CLI - whichever is most handy at the time) when the user changes
> > > the password the expiration doesn't change from the one I set. So if I
> > > give the user 3 days to change it and they change it the next day, the
> > > user still gets locked out on the third day yet I would expect it to
> > > not expire until the 90th day from the day it was changed.
> > >
> > > Is this normal behaviour and if it is, what is the expected method for
> > > dealing with a user with an expired account? If it isn't, what do I
> > > need to look at to rectify this?
> > > Thanks, Phil
> > >
> > Anyone experienced this?
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list