Philippe LeCavalier
2021-Oct-29 19:20 UTC
[Samba] Password policy for user-managed passwords
On Sun, Jul 18, 2021 at 10:21 AM Rowland Penny via samba < samba at lists.samba.org> wrote:> On Sun, 2021-07-18 at 09:56 -0400, Philippe LeCavalier wrote: > > > > > > > > You can force a user to change their password by resetting it with: > > > > > > samba-tool user setpassword User1 --newpassword=passw0rd --must- > > > change- > > > at-next-login > > > This implies I have to set a password that I would provide to them > > > before they can set a new one if I'm reading that correctly? How > > > would I apply that domain wide? > > I would only do this for individual users or new users. I suppose you > could write a script to do it, randomly create a password and use that, > the problem would be in getting the interim password to the user, but > you never know, someone may have an idea how to this. > > > > There are a couple of attributes that need changing, > > > userAccountControl > > > and accountExpires > > > > > > If 'accountExpires' isn't set, then the password will expire on the > > > day > > > shown by the first samba-tool command above. A value of 0 or > > > 9223372036854775807 indicates that the account never expires. > > > > > > You can set the password expiry with: > > > samba-tool user setexpiry > > > Yes. This is the setting I typically set to 0. > > > > > > Add '--help' to the above command for more info. > > > > > > Rowland > > > I'm still uncertain how I transition smoothly. If I set the > > > password to expire after 1 day will they be prompted to change it > > > or will their account be disabled per the wording for that option? > > The 'prompting' is down to the display manager, it should prompt the > user to change their password, it should prompt well before the > password expires, so I wouldn't use 1 day. > > > > If the first users to change their password change it within a few > > > hours but the others take a week won't the ones that change it be > > > forced to change every day untill the slowest tell me they've > > > completed the task and I can change the policy to 60 or 90? > > It doesn't work that way, if you set expiry to 1 day, then that is when > the password will expire, so if the users do not change their passwords > before the end of the day, then any passwords not changed will expire > and those users will not be able login. You are correct about the users > having to change their passwords everyday, that is yet another reason > to not use 1 day. > > > > Also, you mentioned 'userAccountControl' needed changing but you > > > didn't elaborate. > > Sorry, if you use samba-tool to set a users expiry, then that attribute > is set for you. To understand 'userAccountControl', try reading this: > > https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties > > Rowland >Working on implementing this and I'm at the stage where I've enabled (but not forced) self managed password. In other words, I have not set an expiration but users should be able to change their passwords. With my admin account and a test user account everything works: I create the user, login with the temp password, change the password and it works. But when existing users of the network try, they get an 'access denied'. I looked around and can't find much other than the possibility that a GPO with min passwd age might be preventing the change. Before I go unnecessarily messing with GPOs I thought I'd ask here. I'm wondering if perhaps this might be a terminal services issue?
Jonathon Reinhart
2021-Oct-29 20:01 UTC
[Samba] Password policy for user-managed passwords
On Fri, Oct 29, 2021 at 3:21 PM Philippe LeCavalier via samba <samba at lists.samba.org> wrote:> > On Sun, Jul 18, 2021 at 10:21 AM Rowland Penny via samba < > samba at lists.samba.org> wrote: > > > On Sun, 2021-07-18 at 09:56 -0400, Philippe LeCavalier wrote: > > > > > > > > > > > You can force a user to change their password by resetting it with: > > > > > > > > samba-tool user setpassword User1 --newpassword=passw0rd --must- > > > > change- > > > > at-next-login > > > > This implies I have to set a password that I would provide to them > > > > before they can set a new one if I'm reading that correctly? How > > > > would I apply that domain wide? > > > > I would only do this for individual users or new users. I suppose you > > could write a script to do it, randomly create a password and use that, > > the problem would be in getting the interim password to the user, but > > you never know, someone may have an idea how to this. > > > > > > There are a couple of attributes that need changing, > > > > userAccountControl > > > > and accountExpires > > > > > > > > If 'accountExpires' isn't set, then the password will expire on the > > > > day > > > > shown by the first samba-tool command above. A value of 0 or > > > > 9223372036854775807 indicates that the account never expires. > > > > > > > > You can set the password expiry with: > > > > samba-tool user setexpiry > > > > Yes. This is the setting I typically set to 0. > > > > > > > > Add '--help' to the above command for more info. > > > > > > > > Rowland > > > > I'm still uncertain how I transition smoothly. If I set the > > > > password to expire after 1 day will they be prompted to change it > > > > or will their account be disabled per the wording for that option? > > > > The 'prompting' is down to the display manager, it should prompt the > > user to change their password, it should prompt well before the > > password expires, so I wouldn't use 1 day. > > > > > > If the first users to change their password change it within a few > > > > hours but the others take a week won't the ones that change it be > > > > forced to change every day untill the slowest tell me they've > > > > completed the task and I can change the policy to 60 or 90? > > > > It doesn't work that way, if you set expiry to 1 day, then that is when > > the password will expire, so if the users do not change their passwords > > before the end of the day, then any passwords not changed will expire > > and those users will not be able login. You are correct about the users > > having to change their passwords everyday, that is yet another reason > > to not use 1 day. > > > > > > Also, you mentioned 'userAccountControl' needed changing but you > > > > didn't elaborate. > > > > Sorry, if you use samba-tool to set a users expiry, then that attribute > > is set for you. To understand 'userAccountControl', try reading this: > > > > https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties > > > > Rowland > > > > Working on implementing this and I'm at the stage where I've enabled (but > not forced) self managed password. In other words, I have not set > an expiration but users should be able to change their passwords. With my > admin account and a test user account everything works: I create the user, > login with the temp password, change the password and it works. But when > existing users of the network try, they get an 'access denied'. I looked > around and can't find much other than the possibility that a GPO with min > passwd age might be preventing the change. Before I go unnecessarily > messing with GPOs I thought I'd ask here. I'm wondering if perhaps this > might be a terminal services issue?Maybe not even a GPO, but just a domain password policy. Run this on the domain controller: $ sudo samba-tool domain passwordsettings show and look for "Minimum password age (days)"