samba - Jun 2022 - Password Expiration setting and manually adjusting the date

On Wed, Jun 8, 2022 at 4:36 AM L. van Belle via samba <samba at
lists.samba.org>
wrote:
> I suggest, increase the debug level, see that happening when users change a
> password.
> And tell us which samba version and OS your using, add the content of
> smb.conf
>
> That's pretty important.
I was asking if it is expected behaviour. I suppose I could interpret you
asking for this information as confirmation that it is not expected...
>
>
> This one might help out.
> sudo samba-tool domain passwordsettings
>
 plecavalier# samba-tool domain passwordsettings show
Password information for domain 'DC=intranet,DC=domain,DC=ca'
Password complexity: on
Store plaintext passwords: off
Password history length: 24
Minimum password length: 6
Minimum password age (days): 0
Maximum password age (days): 0
Account lockout duration (mins): 30
Account lockout threshold (attempts): 0
Reset account lockout after (mins): 15

plecavalier# uname -ar
Linux piwc11 5.10.0-13-amd64 #1 SMP Debian 5.10.106-1 (2022-03-17) x86_64
GNU/Linux

plecavalier# dpkg -l | grep samba
ii  python3-samba                  2:4.13.13+dfsg-1~deb11u3       amd64
   Python 3 bindings for Samba
ii  samba                          2:4.13.13+dfsg-1~deb11u3       amd64
   SMB/CIFS file, print, and login server for Unix
ii  samba-common                   2:4.13.13+dfsg-1~deb11u3       all
   common files used by both the Samba server and client
ii  samba-common-bin               2:4.13.13+dfsg-1~deb11u3       amd64
   Samba common files used by both the server and the client
ii  samba-dsdb-modules:amd64       2:4.13.13+dfsg-1~deb11u3       amd64
   Samba Directory Services Database
ii  samba-libs:amd64               2:4.13.13+dfsg-1~deb11u3       amd64
   Samba core libraries
ii  samba-vfs-modules:amd64        2:4.13.13+dfsg-1~deb11u3       amd64
   Samba Virtual FileSystem plugins
plecavalier# dpkg -l | grep winbind
ii  libnss-winbind:amd64           2:4.13.13+dfsg-1~deb11u3       amd64
   Samba nameservice integration plugins
ii  libpam-winbind:amd64           2:4.13.13+dfsg-1~deb11u3       amd64
   Windows domain authentication integration plugin
ii  libwbclient0:amd64             2:4.13.13+dfsg-1~deb11u3       amd64
   Samba winbind client library
ii  winbind                        2:4.13.13+dfsg-1~deb11u3       amd64
   service to resolve user and group information from Windows NT servers

plecavalier# cat /etc/samba/smb.conf
# Global parameters
[global]
workgroup = INTRANET
realm = INTRANET.DOMAIN.CA
netbios name = DC11
server role = active directory domain controller
dns forwarder = 8.8.8.8
idmap_ldb:use rfc2307 = yes
bind interfaces only = yes

[netlogon]
path = /var/lib/samba/sysvol/intranet.domain.ca/scripts
read only = No

[sysvol]
path = /var/lib/samba/sysvol
read only = No

[profiles]
path = /data/profiles
read only = no
>
> Greetz,
>
> Louis
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba <samba-bounces at lists.samba.org> Namens Philippe
LeCavalier
> > via samba
> > Verzonden: woensdag 8 juni 2022 03:05
> > Aan: samba <samba at lists.samba.org>
> > Onderwerp: Re: [Samba] Password Expiration setting and manually
adjusting
> > the date
> >
> > On Tue, Jun 7, 2022 at 10:21 AM Philippe LeCavalier
> > <support at plecavalier.com>
> > wrote:
> >
> > > Hi,
> > > Does anyone have experience with having a password expiration
(say 60
> > > days) and manually adjusting a user's expiration date?
> > >
> > > I've got several domains all of which have a 90 day
expiration in
> ad-dc.
> > > Frequently, users forget to change it and get locked out. I find
that
> > > when I postpone the expiration by adjusting the date (either in
RSAT
> > > or CLI - whichever is most handy at the time) when the user
changes
> > > the password the expiration doesn't change from the one I
set. So if I
> > > give the user 3 days to change it and they change it the next
day, the
> > > user still gets locked out on the third day yet I would expect it
to
> > > not expire until the 90th day from the day it was changed.
> > >
> > > Is this normal behaviour and if it is, what is the expected
method for
> > > dealing with a user with an expired account? If it isn't,
what do I
> > > need to look at to rectify this?
> > > Thanks, Phil
> > >
> > Anyone experienced this?
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Just bringing this back to the surface.
On Wed, Jun 8, 2022 at 3:10 PM Philippe LeCavalier <support at
plecavalier.com>
wrote:
> On Wed, Jun 8, 2022 at 4:36 AM L. van Belle via samba <
> samba at lists.samba.org> wrote:
>
>> I suggest, increase the debug level, see that happening when users
change
>> a
>> password.
>> And tell us which samba version and OS your using, add the content of
>> smb.conf
>>
>> That's pretty important.
>
> I was asking if it is expected behaviour. I suppose I could interpret you
> asking for this information as confirmation that it is not expected...
>
>>
>>
>> This one might help out.
>> sudo samba-tool domain passwordsettings
>>
>  plecavalier# samba-tool domain passwordsettings show
> Password information for domain 'DC=intranet,DC=domain,DC=ca'
> Password complexity: on
> Store plaintext passwords: off
> Password history length: 24
> Minimum password length: 6
> Minimum password age (days): 0
> Maximum password age (days): 0
> Account lockout duration (mins): 30
> Account lockout threshold (attempts): 0
> Reset account lockout after (mins): 15
>
> plecavalier# uname -ar
> Linux piwc11 5.10.0-13-amd64 #1 SMP Debian 5.10.106-1 (2022-03-17) x86_64
> GNU/Linux
>
> plecavalier# dpkg -l | grep samba
> ii  python3-samba                  2:4.13.13+dfsg-1~deb11u3       amd64
>      Python 3 bindings for Samba
> ii  samba                          2:4.13.13+dfsg-1~deb11u3       amd64
>      SMB/CIFS file, print, and login server for Unix
> ii  samba-common                   2:4.13.13+dfsg-1~deb11u3       all
>      common files used by both the Samba server and client
> ii  samba-common-bin               2:4.13.13+dfsg-1~deb11u3       amd64
>      Samba common files used by both the server and the client
> ii  samba-dsdb-modules:amd64       2:4.13.13+dfsg-1~deb11u3       amd64
>      Samba Directory Services Database
> ii  samba-libs:amd64               2:4.13.13+dfsg-1~deb11u3       amd64
>      Samba core libraries
> ii  samba-vfs-modules:amd64        2:4.13.13+dfsg-1~deb11u3       amd64
>      Samba Virtual FileSystem plugins
> plecavalier# dpkg -l | grep winbind
> ii  libnss-winbind:amd64           2:4.13.13+dfsg-1~deb11u3       amd64
>      Samba nameservice integration plugins
> ii  libpam-winbind:amd64           2:4.13.13+dfsg-1~deb11u3       amd64
>      Windows domain authentication integration plugin
> ii  libwbclient0:amd64             2:4.13.13+dfsg-1~deb11u3       amd64
>      Samba winbind client library
> ii  winbind                        2:4.13.13+dfsg-1~deb11u3       amd64
>      service to resolve user and group information from Windows NT servers
>
> plecavalier# cat /etc/samba/smb.conf
> # Global parameters
> [global]
> workgroup = INTRANET
> realm = INTRANET.DOMAIN.CA
> netbios name = DC11
> server role = active directory domain controller
> dns forwarder = 8.8.8.8
> idmap_ldb:use rfc2307 = yes
> bind interfaces only = yes
>
> [netlogon]
> path = /var/lib/samba/sysvol/intranet.domain.ca/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> [profiles]
> path = /data/profiles
> read only = no
>
>>
>> Greetz,
>>
>> Louis
>>
>>
>> > -----Oorspronkelijk bericht-----
>> > Van: samba <samba-bounces at lists.samba.org> Namens
Philippe LeCavalier
>> > via samba
>> > Verzonden: woensdag 8 juni 2022 03:05
>> > Aan: samba <samba at lists.samba.org>
>> > Onderwerp: Re: [Samba] Password Expiration setting and manually
>> adjusting
>> > the date
>> >
>> > On Tue, Jun 7, 2022 at 10:21 AM Philippe LeCavalier
>> > <support at plecavalier.com>
>> > wrote:
>> >
>> > > Hi,
>> > > Does anyone have experience with having a password expiration
(say 60
>> > > days) and manually adjusting a user's expiration date?
>> > >
>> > > I've got several domains all of which have a 90 day
expiration in
>> ad-dc.
>> > > Frequently, users forget to change it and get locked out. I
find that
>> > > when I postpone the expiration by adjusting the date (either
in RSAT
>> > > or CLI - whichever is most handy at the time) when the user
changes
>> > > the password the expiration doesn't change from the one I
set. So if I
>> > > give the user 3 days to change it and they change it the next
day, the
>> > > user still gets locked out on the third day yet I would
expect it to
>> > > not expire until the 90th day from the day it was changed.
>> > >
>> > > Is this normal behaviour and if it is, what is the expected
method for
>> > > dealing with a user with an expired account? If it isn't,
what do I
>> > > need to look at to rectify this?
>> > > Thanks, Phil
>> > >
>> > Anyone experienced this?
>> > --
>> > To unsubscribe from this list go to the following URL and read the
>> > instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>