Philippe LeCavalier
2021-Jul-18 13:56 UTC
[Samba] Password policy for user-managed passwords
Thank you Rowland. I appreciate you taking the time. On Sat, Jul 17, 2021, 11:49 Rowland Penny via samba <samba at lists.samba.org> wrote:> On Sat, 2021-07-17 at 11:16 -0400, Philippe LeCavalier via samba wrote: > > Anyone else? > > There are several things in play here, there is the default domain > password expiry, which can be shown by running: > > samba-tool domain passwordsettings show > > You can force a user to change their password by resetting it with: > > samba-tool user setpassword User1 --newpassword=passw0rd --must-change- > at-next-login> This implies I have to set a password that I would provide to them before > they can set a new one if I'm reading that correctly? How would I apply > that domain wide?> There are a couple of attributes that need changing, userAccountControl > and accountExpires > > If 'accountExpires' isn't set, then the password will expire on the day > shown by the first samba-tool command above. A value of 0 or > 9223372036854775807 indicates that the account never expires. > > You can set the password expiry with: > samba-tool user setexpiry> Yes. This is the setting I typically set to 0. > > Add '--help' to the above command for more info. > > Rowland> I'm still uncertain how I transition smoothly. If I set the password to > expire after 1 day will they be prompted to change it or will their account > be disabled per the wording for that option? If the first users to change > their password change it within a few hours but the others take a week > won't the ones that change it be forced to change every day untill the > slowest tell me they've completed the task and I can change the policy to > 60 or 90?Also, you mentioned 'userAccountControl' needed changing but you didn't> elaborate. >
On Sun, 2021-07-18 at 09:56 -0400, Philippe LeCavalier wrote:> > > > > You can force a user to change their password by resetting it with: > > > > samba-tool user setpassword User1 --newpassword=passw0rd --must- > > change- > > at-next-login > > This implies I have to set a password that I would provide to them > > before they can set a new one if I'm reading that correctly? How > > would I apply that domain wide?I would only do this for individual users or new users. I suppose you could write a script to do it, randomly create a password and use that, the problem would be in getting the interim password to the user, but you never know, someone may have an idea how to this.> > There are a couple of attributes that need changing, > > userAccountControl > > and accountExpires > > > > If 'accountExpires' isn't set, then the password will expire on the > > day > > shown by the first samba-tool command above. A value of 0 or > > 9223372036854775807 indicates that the account never expires. > > > > You can set the password expiry with: > > samba-tool user setexpiry > > Yes. This is the setting I typically set to 0. > > > > Add '--help' to the above command for more info. > > > > Rowland > > I'm still uncertain how I transition smoothly. If I set the > > password to expire after 1 day will they be prompted to change it > > or will their account be disabled per the wording for that option?The 'prompting' is down to the display manager, it should prompt the user to change their password, it should prompt well before the password expires, so I wouldn't use 1 day.> > If the first users to change their password change it within a few > > hours but the others take a week won't the ones that change it be > > forced to change every day untill the slowest tell me they've > > completed the task and I can change the policy to 60 or 90?It doesn't work that way, if you set expiry to 1 day, then that is when the password will expire, so if the users do not change their passwords before the end of the day, then any passwords not changed will expire and those users will not be able login. You are correct about the users having to change their passwords everyday, that is yet another reason to not use 1 day.> > Also, you mentioned 'userAccountControl' needed changing but you > > didn't elaborate.Sorry, if you use samba-tool to set a users expiry, then that attribute is set for you. To understand 'userAccountControl', try reading this: https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties Rowland