In my current ''production'' NT-like domain (samba 4.2, OpenLDAP
backend), password policies seems to ''get written'' to user
data.
EG, if i set:
pdbedit -P "maximum password age" -C 7776000
and i change my password, 'Password must change' have a meningful value,
eg 90 days more then the last password change:
root at armitage:~# pdbedit -v gaio
Unix username: gaio
NT username: gaio
Account Flags: [U ]
User SID: S-1-5-21-1458177777-355997386-270368766-1087
Primary Group SID: S-1-5-21-1458177777-355997386-270368766-1009
Full Name: Marco Gaiarin
Home Directory: \\ARMITAGE\gaio
HomeDir Drive: p:
Logon Script: startup.bat
Profile Path: \\ARMITAGE\profiles\gaio
Domain: SANVITO
Account desc:
Workstations:
Munged dial:
Logon time: mer, 18 ott 2017 11:43:42 CEST
Logoff time: gio, 14 lug 2005 16:27:33 CEST
Kickoff time: 0
Password last set: mer, 18 ott 2017 11:42:12 CEST
Password can change: mer, 18 ott 2017 11:42:12 CEST
Password must change: mar, 16 gen 2018 10:42:12 CET
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
But in the new 'AD' domain i'm setting up, seems that things does
not
work like this.
If i set the same policy:
samba-tool domain passwordsettings set --max-pwd-age=90
and i chage the password, i get:
root at vdcsv1:~# pdbedit -v gaio
Unix username: gaio
NT username:
Account Flags: [U ]
User SID: S-1-5-21-160080369-3601385002-3131615632-1105
Primary Group SID: S-1-5-21-160080369-3601385002-3131615632-513
Full Name: Marco Gaiarin
Home Directory:
HomeDir Drive: (null)
Logon Script:
Profile Path:
Domain:
Account desc: Marco Gaiarin
Workstations:
Munged dial:
Logon time: mar, 03 ott 2017 17:13:38 CEST
Logoff time: 0
Kickoff time: gio, 14 set 30828 04:48:05 CEST
Password last set: ven, 20 ott 2017 16:15:36 CEST
Password can change: ven, 20 ott 2017 16:15:36 CEST
Password must change: never
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
note the 'Password must change: never'.
This is ''normal'', eg password policies get applied without
setting 'Password must
change:'? Or i'm missing something?
In another, more generic, way: how password policies are enforced?
I've noted that if i change a password with
'--must-change-at-next-login', i got a different value (0):
root at vdcsv1:~# samba-tool user setpassword --random-password
--must-change-at-next-login --option="check password
script"="" gaio
Changed password OK
root at vdcsv1:~# pdbedit -v gaio
Unix username: gaio
NT username:
Account Flags: [U ]
User SID: S-1-5-21-160080369-3601385002-3131615632-1105
Primary Group SID: S-1-5-21-160080369-3601385002-3131615632-513
Full Name: Marco Gaiarin
Home Directory:
HomeDir Drive: (null)
Logon Script:
Profile Path:
Domain:
Account desc: Marco Gaiarin
Workstations:
Munged dial:
Logon time: mar, 03 ott 2017 17:13:38 CEST
Logoff time: 0
Kickoff time: gio, 14 set 30828 04:48:05 CEST
Password last set: 0
Password can change: 0
Password must change: 0
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
and also if i set the 'cannot change password' flag:
root at vdcsv1:~# pdbedit --account-control="[X]" gaio
Unix username: gaio
NT username:
Account Flags: [UX ]
User SID: S-1-5-21-160080369-3601385002-3131615632-1105
Primary Group SID: S-1-5-21-160080369-3601385002-3131615632-513
Full Name: Marco Gaiarin
Home Directory:
HomeDir Drive: (null)
Logon Script:
Profile Path:
Domain:
Account desc: Marco Gaiarin
Workstations:
Munged dial:
Logon time: mar, 03 ott 2017 17:13:38 CEST
Logoff time: 0
Kickoff time: gio, 14 set 30828 04:48:05 CEST
Password last set: ven, 20 ott 2017 16:52:13 CEST
Password can change: ven, 20 ott 2017 16:52:13 CEST
Password must change: mar, 19 gen 2038 04:14:07 CET
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
so seems that 'Password must change' is used someway...
Thanks.
--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
Associazione ``La Nostra Famiglia''
http://www.lanostrafamiglia.it/
Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN)
marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797
Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Sorry, i came back on this, but:> In another, more generic, way: how password policies are enforced?still i need an answer on this question. I've done some tests, using my account, that pdbedit say: root at vdcsv1:~# LANG=C pdbedit -v gaio Unix username: gaio NT username: Account Flags: [U ] User SID: S-1-5-21-160080369-3601385002-3131615632-1105 Primary Group SID: S-1-5-21-160080369-3601385002-3131615632-513 Full Name: Marco Gaiarin Home Directory: HomeDir Drive: (null) Logon Script: Profile Path: Domain: Account desc: Marco Gaiarin Workstations: Munged dial: Logon time: Tue, 03 Oct 2017 17:13:38 CEST Logoff time: 0 Kickoff time: Thu, 14 Sep 30828 04:48:05 CEST Password last set: Fri, 20 Oct 2017 16:52:13 CEST Password can change: Fri, 20 Oct 2017 16:52:13 CEST Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF and looking at my account (and with a bit of google ;-) i've found that, for example, password last set in LDAP is OK (minus a year, i've not understood why): root at vdcsv1:~# LANG=C date --date="@$(( ($(ldbsearch -H /var/lib/samba/private/sam.ldb -b 'DC=ad,DC=fvg,DC=lnf,DC=it' '(cn=gaio)' | grep '^pwdLastSet:' | cut -d ' ' -f 2) / 10000000) - 11676009600 ))" Thu Oct 20 16:52:13 CEST 2016 If i try to do the same with 'accountExpires': root at vdcsv1:~# LANG=C date --date="@$(( ($(ldbsearch -H /var/lib/samba/private/sam.ldb -b 'DC=ad,DC=fvg,DC=lnf,DC=it' '(cn=gaio)' | grep '^accountExpires:' | cut -d ' ' -f 2) / 10000000) - 11676009600 ))" Wed Sep 15 04:48:05 CEST 30827 but google say me: https://msdn.microsoft.com/en-us/library/ms675098%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396 and: root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b 'DC=ad,DC=fvg,DC=lnf,DC=it' '(cn=gaio)' | grep '^accountExpires:' | cut -d ' ' -f 2 9223372036854775807 so 'account never expires' matches with 'never'. Also, if i look at 'userAccountControl' i found 512 as a value: root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b 'DC=ad,DC=fvg,DC=lnf,DC=it' '(cn=gaio)' | grep '^userAccountControl:' | cut -d ' ' -f 2 512 so 0x200 (ADS_UF_NORMAL_ACCOUNT as stated by https://msdn.microsoft.com/en-us/library/ms680832(v=vs.85).aspx). If i disable it: root at vdcsv1:~# pdbedit --account-control="[D]" gaio [...] Account Flags: [DU ] [...] root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b 'DC=ad,DC=fvg,DC=lnf,DC=it' '(cn=gaio)' | grep '^userAccountControl:' | cut -d ' ' -f 2 514 so 0x200 + 0x2, ADS_UF_NORMAL_ACCOUNT && ADS_UF_ACCOUNTDISABLE. If i set 'do not expire': root at vdcsv1:~# pdbedit --account-control="[X]" gaio [...] Account Flags: [UX ] [...] root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b 'DC=ad,DC=fvg,DC=lnf,DC=it' '(cn=gaio)' | grep '^userAccountControl:' | cut -d ' ' -f 2 66048 so again 0x200 + 0x10000, ADS_UF_NORMAL_ACCOUNT && ADS_UF_DONT_EXPIRE_PASSWD. So, seems to me that 'pdbedit' is still a useful and coherent tool to set account flags. With these experiments, i split my question in two part: 1) considering that 'accountExpires' probably is here for other things (eg, setting an account expiration ''per se'', not for setting *password* expiration...), password expiration policy are enforced ''automatically'' using last password change and policy value?! In other way: to have the password expiration date, i've to ''manually'' compute the date adding the policy days to the last password set date? Supposing i'm not using (only) ''default'' password policy, but i use different password policies for different OUs (in GPOs), how can i determine the 'max-pwd-age' policy value from GPOs? 2) as seems to be, 'pdbedit' is still a valuable tool to handle this things (eg, read password dates and setting account flags)? Thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
On Mon, 23 Oct 2017 16:52:05 +0200 Marco Gaiarin via samba <samba at lists.samba.org> wrote:> > Sorry, i came back on this, but: > > > In another, more generic, way: how password policies are enforced? > > still i need an answer on this question. > > > I've done some tests, using my account, that pdbedit say: > > root at vdcsv1:~# LANG=C pdbedit -v gaio > Unix username: gaio > NT username: > Account Flags: [U ] > User SID: S-1-5-21-160080369-3601385002-3131615632-1105 > Primary Group SID: S-1-5-21-160080369-3601385002-3131615632-513 > Full Name: Marco Gaiarin > Home Directory: > HomeDir Drive: (null) > Logon Script: > Profile Path: > Domain: > Account desc: Marco Gaiarin > Workstations: > Munged dial: > Logon time: Tue, 03 Oct 2017 17:13:38 CEST > Logoff time: 0 > Kickoff time: Thu, 14 Sep 30828 04:48:05 CEST > Password last set: Fri, 20 Oct 2017 16:52:13 CEST > Password can change: Fri, 20 Oct 2017 16:52:13 CEST > Password must change: never > Last bad password : 0 > Bad password count : 0 > Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF > > and looking at my account (and with a bit of google ;-) i've found > that, for example, password last set in LDAP is OK (minus a year, > i've not understood why): > > root at vdcsv1:~# LANG=C date --date="@$(( ($(ldbsearch > -H /var/lib/samba/private/sam.ldb -b 'DC=ad,DC=fvg,DC=lnf,DC=it' > '(cn=gaio)' | grep '^pwdLastSet:' | cut -d ' ' -f 2) / 10000000) - > 11676009600 ))" Thu Oct 20 16:52:13 CEST 2016 > > If i try to do the same with 'accountExpires': > > root at vdcsv1:~# LANG=C date --date="@$(( ($(ldbsearch > -H /var/lib/samba/private/sam.ldb -b 'DC=ad,DC=fvg,DC=lnf,DC=it' > '(cn=gaio)' | grep '^accountExpires:' | cut -d ' ' -f 2) / 10000000) > - 11676009600 ))" Wed Sep 15 04:48:05 CEST 30827 > > but google say me: > https://msdn.microsoft.com/en-us/library/ms675098%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396 > > and: > root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b > 'DC=ad,DC=fvg,DC=lnf,DC=it' '(cn=gaio)' | grep '^accountExpires:' | > cut -d ' ' -f 2 9223372036854775807 > > so 'account never expires' matches with 'never'. > > > Also, if i look at 'userAccountControl' i found 512 as a value: > root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b > 'DC=ad,DC=fvg,DC=lnf,DC=it' '(cn=gaio)' | grep '^userAccountControl:' > | cut -d ' ' -f 2 512 > > so 0x200 (ADS_UF_NORMAL_ACCOUNT as stated by > https://msdn.microsoft.com/en-us/library/ms680832(v=vs.85).aspx). > > If i disable it: > root at vdcsv1:~# pdbedit --account-control="[D]" gaio > [...] > Account Flags: [DU ] > [...] > root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b > 'DC=ad,DC=fvg,DC=lnf,DC=it' '(cn=gaio)' | grep '^userAccountControl:' > | cut -d ' ' -f 2 514 > > so 0x200 + 0x2, ADS_UF_NORMAL_ACCOUNT && ADS_UF_ACCOUNTDISABLE. > > If i set 'do not expire': > root at vdcsv1:~# pdbedit --account-control="[X]" gaio > [...] > Account Flags: [UX ] > [...] > root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b > 'DC=ad,DC=fvg,DC=lnf,DC=it' '(cn=gaio)' | grep '^userAccountControl:' > | cut -d ' ' -f 2 66048 > > so again 0x200 + 0x10000, ADS_UF_NORMAL_ACCOUNT && > ADS_UF_DONT_EXPIRE_PASSWD. > > So, seems to me that 'pdbedit' is still a useful and coherent tool to > set account flags. > > > > With these experiments, i split my question in two part: > > > 1) considering that 'accountExpires' probably is here for other things > (eg, setting an account expiration ''per se'', not for setting > *password* expiration...), password expiration policy are enforced > ''automatically'' using last password change and policy value?! > In other way: to have the password expiration date, i've to > ''manually'' compute the date adding the policy days to the last > password set date? > Supposing i'm not using (only) ''default'' password policy, but i use > different password policies for different OUs (in GPOs), how can i > determine the 'max-pwd-age' policy value from GPOs? > > 2) as seems to be, 'pdbedit' is still a valuable tool to handle this > things (eg, read password dates and setting account flags)? > > > Thanks. >The main problem here is that you are still looking at the problem from the NT perpective, 'accountExpires' has nothing to do with when the password expires ;-) Setting 'userAccountControl' to 514, disables the account, it doesn't do anything to the password. There are a few attributes in play here, one of which you haven't mentioned: 'ms-DS-User-Account-Control-Computed'. The one you need to look at is 'pwdLastSet', this is used with 'maxPwdAge' to calculate when the password expires. The easiest way to find info on this subject is to remember that you are now using Active Directory and use this in an internet search, along with 'pwdlastSet' and 'maxPwdAge', don't mention Samba in the search. Rowland