On Tue, 24 Oct 2017 18:37:09 +0200 Marco Gaiarin via samba <samba at lists.samba.org> wrote:> Mandi! Rowland Penny via samba > In chel di` si favelave... > > > The main problem here is that you are still looking at the problem > > from the NT perpective, > > Seems obvious to me. I came from 10+ years of experience on Samba3 NT > domains, that indeed had excellent documentation and a more (for me) > UNIX-minded approach. > > I was (ab)used at samba tools (smbpasswd, pdbedit, wbinfo, ...), and i > can see that many of them still work on AD mode. > > Still, every tool do something a bit different of the others, and > still some things cannot be done now by this tools, or by samba-tool > that i suppose aim to substitute all of them. > > I'm tring to understand, moving away from NT and jumping in AD. Sorry > for my messages, but it is very hard to search for some info without > clue...No problem, as I keep saying, the only stupid question is the one you don't ask ;-)> > > > > 'accountExpires' has nothing to do with when the password > > expires ;-) > > I know. But in NT mode, samba (or was the smbldap-tools?) was used to > write in 'accountExpires' explicitly, so i'm asking about it.I never use pdbedit, so don't know how it works.> > > > Setting 'userAccountControl' to 514, disables the account, it > > doesn't do anything to the password. > > Again i know that. I was asking effectively if 'pdbedit' is still an > affordable tool to write account control in AD.See here for info on 'userAccountControl': https://support.microsoft.com/en-gb/help/305144/how-to-use-the-useraccountcontrol-flags-to-manipulate-user-account-pro I believe pdbedit will do what you are asking, but as I don't use it, I don't know how to.> > > The one you need to > > look at is 'pwdLastSet', this is used with 'maxPwdAge' to calculate > > when the password expires. > > Ok, i've found that attribute, on the 'root' of the LDAP tree; but i > think, measurement unit apart, it is the same of: > > root at vdcsv1:~# samba-tool domain passwordsettings show | grep > ^Maximum Maximum password age (days): 90 > > right?Somebody has changed it ;-) The default is '42'> > > > The easiest way to find info on this subject is to remember that you > > are now using Active Directory and use this in an internet search, > > along with 'pwdlastSet' and 'maxPwdAge', don't mention Samba in the > > search. > > Ok, good. But still i've not the answer of one of my question, indeed. > > Password expiration are computed ''dynamically'' (now < pwdlastSet + > maxPwdAge), or the value of password expiration (pwdlastSet + > maxPwdAge) are saved (or accessible) somewhere? >Good question, at the moment it is 'dynamic', but there is the 'msDS-UserPasswordExpiryTimeComputed' attribute but it doesn't seem to be used yet Samba. Rowland
Mandi! Rowland Penny via samba In chel di` si favelave...> I believe pdbedit will do what you are asking, but as I don't use it, I > don't know how to....seems no one know this. ;-) OK, seems it's time to start to study ldb* tools... ;-) -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Andrew Bartlett
2017-Oct-26  00:25 UTC
[Samba] Some hint reading password expiration data...
On Tue, 2017-10-24 at 18:13 +0100, Rowland Penny via samba wrote:> > Good question, at the moment it is 'dynamic', but there is the > 'msDS-UserPasswordExpiryTimeComputed' attribute but it doesn't seem > to > be used yet Samba.We do implement this and use it internally, but I can't find any unit tests specifically for it. Ouch! :-) Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Development and Support, Catalyst IT https://catalyst.net.nz/services/samba
On Thu, 26 Oct 2017 13:25:00 +1300 Andrew Bartlett <abartlet at samba.org> wrote:> On Tue, 2017-10-24 at 18:13 +0100, Rowland Penny via samba wrote: > > > > Good question, at the moment it is 'dynamic', but there is the > > 'msDS-UserPasswordExpiryTimeComputed' attribute but it doesn't seem > > to > > be used yet Samba. > > We do implement this and use it internally, but I can't find any unit > tests specifically for it. Ouch! :-) > > Andrew Bartlett >I know it is in the schema, but is there any code to use it ? Rowland