Hi guys, I'm battling to understand how the Samba4 user password expiry seems to tie in together and was hoping this could be clarified by someone for me please? Currently I have the following Samba4 domain policies in place... [root at headoffice ~]# samba-tool domain passwordsettings show Password informations for domain 'DC=abc-ho,DC=local' Password complexity: on Store plaintext passwords: off Password history length: 12 Minimum password length: 8 Minimum password age (days): 1 Maximum password age (days): 60 If I search for an account on the command line, the following attributes show... ldapsearch -x -H "ldap://160.128.20.8:389" -b "dc=abc-ho,dc=local" -D "blabla at abc-ho.local" -w mypass sAMAccountName=hr # extended LDIF # # LDAPv3 # base <dc=abc-ho,dc=local> with scope subtree # filter: sAMAccountName=hr # requesting: ALL # # hr, Users, abc-ho.local dn: CN=hr,CN=Users,DC=abc-ho,DC=local cn: hr instanceType: 4 whenCreated: 20140819154552.0Z uSNCreated: 4452 name: hr objectGUID:: 9yP2bYYXoUCCpl1Hk7fEww=badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 primaryGroupID: 513 objectSid:: AQUAAAAAAAUVAAAAZJdR33OuC9uXLb9laQQAAA=logonCount: 0 sAMAccountName: hr sAMAccountType: 805306368 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=abc-ho,DC=local homeDirectory: \\headoffice\hr homeDrive: Z: scriptPath: hr.bat accountExpires: 137919572470000000 logonHours:: //////////////////////////// userAccountControl: 512 description: Head Office HR uidNumber: 1129 objectClass: top objectClass: posixAccount objectClass: person objectClass: organizationalPerson objectClass: user unixHomeDirectory: /home/hr loginShell: /bin/false gidNumber: 513 msSFU30NisDomain: abc-ho displayName: whenChanged: 20150102054825.0Z uSNChanged: 74252 pwdLastSet: 130646513050000000 distinguishedName: CN=hr,CN=Users,DC=abc-ho,DC=local If I then look through the "AD Domain Users and Groups" utility under the "Account" tab the password is set to expire on the 17th of January 2038 (which I presume came from when the accounts were imported off an old Samba3 server) Surely if I've set the domain policy of 60 day expiry, this should override the pre-existing account expiry? I'm fairly certain this account has existed for more than 60 days since the policy was enabled. I'm running sernet-samba-ad-4.1.12-9.el6.x86_64 Please shout if you have any questions. Thanks, any help is appreciated. Regards. Neil Wilson.
Account expiry and password expiry are not the same.... BR, Marcel 2015-01-12 10:15 GMT+01:00 Neil <nwilson123 at gmail.com>:> [..]If I then look through the "AD Domain Users and Groups" utility under> the "Account" tab the password is set to expire on the 17th of January > 2038 (which I presume came from when the accounts were imported off an > old Samba3 server) > > Surely if I've set the domain policy of 60 day expiry, this should > override the pre-existing account expiry? I'm fairly certain this > account has existed for more than 60 days since the policy was > enabled. > [..] >
Good morning everyone !!!! I would like to take some doubts if possible. 1) I have followed the list and saw that are raising the functional level of Samba4 to 2008r2 worth it? what is gained by that? 2) worked a while ago with the late netware 5.x and it had a function that you only saw the folder he was participant of the owner group, it is possible that in Samba4? 3) I noticed that most of the GPOs works only when the User is in administrator group when I leave it in Domain_users group it does not apply. Am I doing something wrong? I thank you and have a good week of beginning. Gabriel Franca
Thanks for the answer Marcel, I did get them confused. Any ideas why then that my passwords don't seem to be expiring even well after 60 days and despite having the domain policy enforcing password expiry? Thanks. Regards. Neil Wilson. On Mon, Jan 12, 2015 at 12:46 PM, Marcel de Reuver <marcel at de.reuver.org> wrote:> Account expiry and password expiry are not the same.... > > BR, Marcel > > 2015-01-12 10:15 GMT+01:00 Neil <nwilson123 at gmail.com>: > >> [..] > > If I then look through the "AD Domain Users and Groups" utility under >> the "Account" tab the password is set to expire on the 17th of January >> 2038 (which I presume came from when the accounts were imported off an >> old Samba3 server) >> >> Surely if I've set the domain policy of 60 day expiry, this should >> override the pre-existing account expiry? I'm fairly certain this >> account has existed for more than 60 days since the policy was >> enabled. >> [..] >> > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
"pwdLastSet" and the "Maximum password age (days)" will enforce a password change on a Windows client. With free Windows tool "AD Explorer" you can explore the Active Directory and see pwdLastSet human readable for your accounts. BR, Marcel 2015-01-12 10:15 GMT+01:00 Neil <nwilson123 at gmail.com>:> > [..] > [root at headoffice ~]# samba-tool domain passwordsettings show > Password informations for domain 'DC=abc-ho,DC=local' > Password complexity: on > Store plaintext passwords: off > Password history length: 12 > Minimum password length: 8 > Minimum password age (days): 1 > Maximum password age (days): 60 > > If I search for an account on the command line, the following attributes > show... > > ldapsearch -x -H "ldap://160.128.20.8:389" -b "dc=abc-ho,dc=local" -D > [..] > pwdLastSet: 130646513050000000 > [..] >