On Sun, 2021-07-18 at 09:56 -0400, Philippe LeCavalier wrote:> > > > > You can force a user to change their password by resetting it with: > > > > samba-tool user setpassword User1 --newpassword=passw0rd --must- > > change- > > at-next-login > > This implies I have to set a password that I would provide to them > > before they can set a new one if I'm reading that correctly? How > > would I apply that domain wide?I would only do this for individual users or new users. I suppose you could write a script to do it, randomly create a password and use that, the problem would be in getting the interim password to the user, but you never know, someone may have an idea how to this.> > There are a couple of attributes that need changing, > > userAccountControl > > and accountExpires > > > > If 'accountExpires' isn't set, then the password will expire on the > > day > > shown by the first samba-tool command above. A value of 0 or > > 9223372036854775807 indicates that the account never expires. > > > > You can set the password expiry with: > > samba-tool user setexpiry > > Yes. This is the setting I typically set to 0. > > > > Add '--help' to the above command for more info. > > > > Rowland > > I'm still uncertain how I transition smoothly. If I set the > > password to expire after 1 day will they be prompted to change it > > or will their account be disabled per the wording for that option?The 'prompting' is down to the display manager, it should prompt the user to change their password, it should prompt well before the password expires, so I wouldn't use 1 day.> > If the first users to change their password change it within a few > > hours but the others take a week won't the ones that change it be > > forced to change every day untill the slowest tell me they've > > completed the task and I can change the policy to 60 or 90?It doesn't work that way, if you set expiry to 1 day, then that is when the password will expire, so if the users do not change their passwords before the end of the day, then any passwords not changed will expire and those users will not be able login. You are correct about the users having to change their passwords everyday, that is yet another reason to not use 1 day.> > Also, you mentioned 'userAccountControl' needed changing but you > > didn't elaborate.Sorry, if you use samba-tool to set a users expiry, then that attribute is set for you. To understand 'userAccountControl', try reading this: https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties Rowland
Philippe LeCavalier
2021-Jul-18 20:44 UTC
[Samba] Password policy for user-managed passwords
On Sun, Jul 18, 2021, 10:21 Rowland Penny via samba <samba at lists.samba.org> wrote:> On Sun, 2021-07-18 at 09:56 -0400, Philippe LeCavalier wrote: > > > > > > > > You can force a user to change their password by resetting it with: > > > > > > samba-tool user setpassword User1 --newpassword=passw0rd --must- > > > change- > > > at-next-login > > > This implies I have to set a password that I would provide to them > > > before they can set a new one if I'm reading that correctly? How > > > would I apply that domain wide? > > I would only do this for individual users or new users.[snip]. > > > > I'm still uncertain how I transition smoothly. If I set the > > > password to expire after 1 day will they be prompted to change it > > > or will their account be disabled per the wording for that option? > > The 'prompting' is down to the display manager, it should prompt the > user to change their password, it should prompt well before the > password expires, so I wouldn't use 1 day.Is there a setting to control the amount of time prior to expiration a user> will get notified.Phil>
Philippe LeCavalier
2021-Oct-29 19:20 UTC
[Samba] Password policy for user-managed passwords
On Sun, Jul 18, 2021 at 10:21 AM Rowland Penny via samba < samba at lists.samba.org> wrote:> On Sun, 2021-07-18 at 09:56 -0400, Philippe LeCavalier wrote: > > > > > > > > You can force a user to change their password by resetting it with: > > > > > > samba-tool user setpassword User1 --newpassword=passw0rd --must- > > > change- > > > at-next-login > > > This implies I have to set a password that I would provide to them > > > before they can set a new one if I'm reading that correctly? How > > > would I apply that domain wide? > > I would only do this for individual users or new users. I suppose you > could write a script to do it, randomly create a password and use that, > the problem would be in getting the interim password to the user, but > you never know, someone may have an idea how to this. > > > > There are a couple of attributes that need changing, > > > userAccountControl > > > and accountExpires > > > > > > If 'accountExpires' isn't set, then the password will expire on the > > > day > > > shown by the first samba-tool command above. A value of 0 or > > > 9223372036854775807 indicates that the account never expires. > > > > > > You can set the password expiry with: > > > samba-tool user setexpiry > > > Yes. This is the setting I typically set to 0. > > > > > > Add '--help' to the above command for more info. > > > > > > Rowland > > > I'm still uncertain how I transition smoothly. If I set the > > > password to expire after 1 day will they be prompted to change it > > > or will their account be disabled per the wording for that option? > > The 'prompting' is down to the display manager, it should prompt the > user to change their password, it should prompt well before the > password expires, so I wouldn't use 1 day. > > > > If the first users to change their password change it within a few > > > hours but the others take a week won't the ones that change it be > > > forced to change every day untill the slowest tell me they've > > > completed the task and I can change the policy to 60 or 90? > > It doesn't work that way, if you set expiry to 1 day, then that is when > the password will expire, so if the users do not change their passwords > before the end of the day, then any passwords not changed will expire > and those users will not be able login. You are correct about the users > having to change their passwords everyday, that is yet another reason > to not use 1 day. > > > > Also, you mentioned 'userAccountControl' needed changing but you > > > didn't elaborate. > > Sorry, if you use samba-tool to set a users expiry, then that attribute > is set for you. To understand 'userAccountControl', try reading this: > > https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties > > Rowland >Working on implementing this and I'm at the stage where I've enabled (but not forced) self managed password. In other words, I have not set an expiration but users should be able to change their passwords. With my admin account and a test user account everything works: I create the user, login with the temp password, change the password and it works. But when existing users of the network try, they get an 'access denied'. I looked around and can't find much other than the possibility that a GPO with min passwd age might be preventing the change. Before I go unnecessarily messing with GPOs I thought I'd ask here. I'm wondering if perhaps this might be a terminal services issue?