Is there any work going on for Samba 2.0.6 in the way of making passwords expire ? Or does anyone know how to do it ? Thanks. Alan.
Alan Hourihane wrote:> > Is there any work going on for Samba 2.0.6 in the way of > making passwords expire ? > > Or does anyone know how to do it ?It's not too hard. We already have a 'last changed time' in the smb.conf, so adding a 'password expire time' parameter in smb.conf wouldn't be too hard. Trouble is I'm working on unicode Samba right now. Regards, Jeremy Allison, Samba Team. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. --------------------------------------------------------
Thanks Jeremy.... I guess you mean the smbpasswd and not smb.conf though. I might have a go at doing this in the new year. Alan. On 23 December 1999 18:19, Jeremy Allison [SMTP:jeremy@valinux.com] wrote:> Alan Hourihane wrote: > > > > Is there any work going on for Samba 2.0.6 in the way of > > making passwords expire ? > > > > Or does anyone know how to do it ? > > It's not too hard. We already have a 'last changed time' > in the smb.conf, so adding a 'password expire time' parameter > in smb.conf wouldn't be too hard. Trouble is I'm working > on unicode Samba right now. > > Regards, > > Jeremy Allison, > Samba Team. > > -- > -------------------------------------------------------- > Buying an operating system without source is like buying > a self-assembly Space Shuttle with no instructions. > --------------------------------------------------------
Alan Hourihane wrote:> > Thanks Jeremy.... > > I guess you mean the smbpasswd and not smb.conf though. >Actually, no. The smbpasswd file stores the last change time of each password, therefore a global "password expiry" time (ie. how long a password would last) could be an smb.conf parameter. The difference between last changed time and local time would be compared with this and a "password expired" error returned if it was greater. Jeremy. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. --------------------------------------------------------
Hi I'm new subscribe in this mail list, sorry if this subject been discussed before. my problem is that I used linux 7.0 and I have pptp which using smbpasswd, I tried to find out to make samba to expiring the password for the user, is any good advice here thanks for help Alaa
Hi folks, I'm successfully running Samba 2.2.2 on a SuSE 7.3 system as a PDC for W2k clients. Everythings works fine, but now after logon I get the message that my password is about to expire. How do I switch this PW-expiration off ? I couldn't find any entry in smb.conf for this. Any help would be greatly appreciated. Thanks Stephan
I have samba 2.2.2 on Solaris 7 running as windows domain server. The problem is the windows2000 clients keep giving users the message that their password is about to expire and ask if you want to change it. No password expirations have been set on the server or the local windows boxes. If you cancel the message it continues to work fine. On the local machine local password maximum age policy has been set to 0. Any ideas? ---------------------------------------------------------------------------- William H. Lacy System Administrator www.vetmed.auburn.edu/~lacywil Computer Group lacywil@vetmed.auburn.edu Auburn University College of Veterinary Medicine (334)844-3705 ----------------------------------------------------------------------------
Hi All. I want to confirm something I have been researching. I have a site that I installed a Linux/Samba server for several years ago. After years of successful use, this location is having a number of new security policies rammed down their throat by their corporate headquarters. One of the new policies is that ALL passwords must expire after 60 days. My research in the mailing list archives and on the Internet seems to indicate that Samba 2.2.x can be configured to obey the PAM authentication rules - which would imply following any password expiration rules established for the system via the PAM configuration. However, based on the Samba 2.2.3a smb.conf man page, it seems that this requires you to disable the use of encrypted passwords. Unfortunately, this would mean going around to ALL PC's on large network (100+ users) and performing the plain-text password registry hack. The other information I have found in my research is that Windows 95/98 clients apparently do not handle password expiration well. I.e. they keep logging into the domain until the password expires, and then just cannot login anymore. Can anyone confirm or refute these facts for me? Has anyone successfully setup password expiration on a Samba server that serves a mix of Windows NT, Windows 2000 and Windows 98 clients (90% Windows 98 in this case). I have thought of all sorts of ways to let PC users know to change their passwords - via some type of program that runs from the login scripts, via a web page on the Samba server, etc. In reality I think they are better off NOT expiring the passwords, as that will tend to force users to choose poor passwords in the long run. It's not my call though - I am just basically an unpaid technical consultant in this case... Thanks! -- /-------------------------------------\ | Jim Morris | jim@morris-world.com | \-------------------------------------/
Dear List, First thanks for the great program. I know this is probably not the best place to ask this but is anybody running TrendMicro OfficeScan network edition on FileSharing Definitions using Samba or do they know if Windows 2000 Pro has any time of tcp/ip file/printer sharing limitation like Windows XP Home & Pro do? If I can do without one more Windows NT server to patch it will be great. Thanks for your support! Yussef M. ElSirgany Magnatech Business Systems Phone: 516-931-4444 Ext.105 Fax: 516-931-1264 Email: yelsir@magnatechonline.com
If you resort to writing your own method of letting people know their passwords are about to expire, you might look into doing it with a WinPopUp notification. I'm not sure if a WinPopUp client runs by default on 95/98, though if it doesn't you could probably launch one from the login script. We thankfully don't have many of those machines here, we're mostly an NT 4.0 shop. Even NT isn't perfect when it comes to password expiration. If you manually expire someone's password while they're logged in, they aren't notified of what happened until their next login, but Exchange and other services that do network authentication cut them off immediately! -----Original Message----- From: Jim Morris [mailto:jim@morris-world.com] Sent: Wednesday, March 20, 2002 10:35 AM To: samba@lists.samba.org Subject: [Samba] Password Expiration Hi All. I want to confirm something I have been researching. I have a site that I installed a Linux/Samba server for several years ago. After years of successful use, this location is having a number of new security policies rammed down their throat by their corporate headquarters. One of the new policies is that ALL passwords must expire after 60 days. My research in the mailing list archives and on the Internet seems to indicate that Samba 2.2.x can be configured to obey the PAM authentication rules - which would imply following any password expiration rules established for the system via the PAM configuration. However, based on the Samba 2.2.3a smb.conf man page, it seems that this requires you to disable the use of encrypted passwords. Unfortunately, this would mean going around to ALL PC's on large network (100+ users) and performing the plain-text password registry hack. The other information I have found in my research is that Windows 95/98 clients apparently do not handle password expiration well. I.e. they keep logging into the domain until the password expires, and then just cannot login anymore. Can anyone confirm or refute these facts for me? Has anyone successfully setup password expiration on a Samba server that serves a mix of Windows NT, Windows 2000 and Windows 98 clients (90% Windows 98 in this case). I have thought of all sorts of ways to let PC users know to change their passwords - via some type of program that runs from the login scripts, via a web page on the Samba server, etc. In reality I think they are better off NOT expiring the passwords, as that will tend to force users to choose poor passwords in the long run. It's not my call though - I am just basically an unpaid technical consultant in this case... Thanks! -- /-------------------------------------\ | Jim Morris | jim@morris-world.com | \-------------------------------------/ -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Well, now that my feet are wet, I thought I would ask another, hopefully less confusing question. As I said in the confusing email about printing, I've set Samba to be a PDC. What I'm wondering is if I can setup the users' passwords to expire after a specific time frame? If so, how do I get it to warn users ahead of time? Thanks once again :) Darin Bawden TeamDME! Technical Support (615) 333-1900 ext. 19 dbawden@teamdme.com
Good morning everyone,
Just a quick question. I have a Samba server set up as a PDC with
2.2.3a-6. Things seem to be going OK. However, something that has finally
started to show up is password expiration. I know users can change Windows
passwords and that should, in theory, change the passwords on the Linux
server. What I'm wondering is is if there's a way to tell samba/linux
to
send a warning box X number of days ahead of expiration. I thought I had
that set up, but it doesn't seem to be working.
Here's an output of Testparm of my current box. Thanks for all
the help :)
[global]
coding system client code page = 850
code page directory = /usr/share/samba/codepages
workgroup = TEAMDME
netbios name = LINUX1
netbios aliases netbios scope server string = Linux
Server
interfaces bind interfaces only = No
security = USER
encrypt passwords = Yes
update encrypted = No
allow trusted domains = Yes
hosts equiv min passwd length = 5
map to guest = Never
null passwords = No
obey pam restrictions = Yes
password server smb passwd file = /etc/samba/smbpasswd
root directory pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*passwd:*all*authentication*tokens*updated*successfully*
passwd chat debug = No
username map password level = 0
username level = 0
unix password sync = Yes
restrict anonymous = No
lanman auth = Yes
use rhosts = No
log level = 2
syslog = 1
syslog only = No
log file = /var/log/samba/%m.log
max log size = 0
timestamp logs = Yes
debug hires timestamp = No
debug pid = No
debug uid = No
protocol = NT1
large readwrite = No
max protocol = NT1
min protocol = CORE
read bmpx = No
read raw = Yes
write raw = Yes
nt smb support = Yes
nt pipe support = Yes
announce version = 4.5
announce as = NT
max mux = 50
max xmit = 65535
name resolve order = lmhosts host wins bcast
max packet = 65535
max ttl = 259200
max wins ttl = 518400
min wins ttl = 21600
time server = No
unix extensions = No
change notify timeout = 60
deadtime = 0
getwd cache = Yes
keepalive = 300
lpq cache time = 10
max smbd processes = 0
max disk size = 0
max open files = 10000
read size = 16384
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
stat cache size = 50
use mmap = Yes
total print jobs = 0
load printers = Yes
printcap name = /etc/printcap
disable spoolss = No
enumports command addprinter command deleteprinter
command show add printer wizard = Yes
os2 driver map strip dot = No
character set mangled stack = 50
stat cache = Yes
domain admin group = @root
domain guest group machine password timeout = 604800
add user script = /usr/bin/adduser -d /dev/null -g 100 -s
/bin/false -M %m$
delete user script logon script logon path =
\\%N\%U\profile
logon drive logon home = \\%N\%U
domain logons = Yes
os level = 99
lm announce = Auto
lm interval = 60
preferred master = True
local master = Yes
domain master = True
browse list = Yes
enhanced browsing = Yes
dns proxy = No
wins proxy = No
wins server wins support = No
wins hook kernel oplocks = Yes
oplock break wait time = 0
add share command change share command delete share
command config file preload lock dir =
/var/cache/samba
utmp directory wtmp directory utmp = No
default service message command dfree command
valid chars remote announce remote browse sync socket
address = 0.0.0.0
homedir map = auto.home
time offset = 0
NIS homedir = No
source environment panic action hide local users = No
host msdfs = No
winbind uid winbind gid template homedir =
/home/%D/%U
template shell = /bin/false
winbind separator = \
winbind cache time = 15
winbind enum users = Yes
winbind enum groups = Yes
comment path alternate permissions = No
username guest account = nobody
invalid users valid users admin users read
list write list printer admin = @ntadmin
force user force group read only = Yes
create mask = 0744
force create mode = 00
security mask = 0777
force security mode = 00
directory mask = 0755
force directory mode = 00
directory security mask = 0777
force directory security mode = 00
inherit permissions = No
guest only = No
guest ok = No
only user = No
hosts allow hosts deny status = Yes
nt acl support = Yes
max connections = 0
min print space = 0
strict allocate = No
strict sync = No
sync always = No
write cache size = 0
max print jobs = 1000
printable = No
postscript = No
printing = lprng
print command = lpr -r -P%p %s
lpq command = lpq -P%p
lprm command = lprm -P%p %j
lppause command lpresume command queuepause command
queueresume command printer name use client driver = No
default devmode = No
printer driver printer driver file = /etc/samba/printers.def
printer driver location default case = lower
case sensitive = No
preserve case = Yes
short preserve case = Yes
mangle case = No
mangling char = ~
hide dot files = Yes
hide unreadable = No
delete veto files = No
veto files hide files veto oplock files map
system = No
map hidden = No
map archive = Yes
mangled names = Yes
mangled map browseable = Yes
blocking locks = Yes
fake oplocks = No
locking = Yes
oplocks = Yes
level2 oplocks = Yes
oplock contention limit = 2
posix locking = Yes
strict locking = No
share modes = Yes
copy include exec preexec close = No
postexec root preexec root preexec close = No
root postexec available = Yes
volume fstype = NTFS
set directory = No
wide links = Yes
follow symlinks = Yes
dont descend magic script magic output
delete readonly = No
dos filemode = No
dos filetimes = No
dos filetime resolution = No
fake directory create times = No
vfs object vfs options msdfs root = No
even though it's listing Winbind here, I'm not actually using it. I
really
don't know why it's there. As you might have guessed, I'm still
kind of
new to this whole thing.
Thanks agian :)
Darin Bawden
dbawden@teamdme.com
I have a two fold question: 1) Does Samba now fully support password expiration? (I can get it to pop up a message on the windows client that the password is about to expire, but it keeps letting me log on) 2) How do I get it to change password from the "password is expiring" dialog? (I can change the password from the "change password" button in windows, but when I say I want to change it from the "password about to expire" message, I aways get "can't change password because domain is unavailable" Thanks for any help Dan
To make a password expire on my Samba PDC I just need to edit the "/etc/shadow" or use the comand "chage -M days_before_expire user"? Thanx Rodrigo
On Wed, 5 Mar 2003, [iso-8859-1] Rodrigo Schmidt N?rmberg wrote:> To make a password expire on my Samba PDC I just need to edit the > "/etc/shadow" or use the comand "chage -M days_before_expire user"?If you are using PAM that may work. How is your PAM configured? ie: /etc/pam.d/samba - John T. -- John H Terpstra Email: jht@samba.org
This is the /etc/pam.d/system-auth. Can You send me a ie config file (how it should be). #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required /lib/security/pam_env.so auth sufficient /lib/security/pam_unix.so likeauth nullok auth required /lib/security/pam_deny.so account required /lib/security/pam_unix.so password required /lib/security/pam_cracklib.so retry=3 typepassword sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow password required /lib/security/pam_deny.so session required /lib/security/pam_limits.so session required /lib/security/pam_unix.so ----- Original Message ----- From: "John H Terpstra" <jht@samba.org> To: "Rodrigo Schmidt N?rmberg" <schmidt@brturbo.com> Sent: Wednesday, March 05, 2003 10:34 PM Subject: Re: [Samba] Password Expiration> yOn Wed, 5 Mar 2003, [iso-8859-1] Rodrigo Schmidt N?rmberg wrote: > > > This is my samba pam configuration > > > > #%PAM-1.0 > > auth required pam_nologin.so > > auth required pam_stack.so service=system-auth > > account required pam_stack.so service=system-auth > > session required pam_stack.so service=system-auth > > password required pam_stack.so service=system-auth > > > > Is this ok? > > What more i need to put in smb.conf? > > So what is in /etc/pam.d/system-auth? > > - John T. > > > > > ----- Original Message ----- > > From: "John H Terpstra" <jht@samba.org> > > To: "Rodrigo Schmidt N?rmberg" <schmidt@brturbo.com> > > Cc: "smb" <samba@lists.samba.org> > > Sent: Wednesday, March 05, 2003 10:13 PM > > Subject: Re: [Samba] Password Expiration > > > > > > > On Wed, 5 Mar 2003, [iso-8859-1] Rodrigo Schmidt N?rmberg wrote: > > > > > > > To make a password expire on my Samba PDC I just need to edit the > > > > "/etc/shadow" or use the comand "chage -M days_before_expire user"? > > > > > > If you are using PAM that may work. How is your PAM configured? > > > ie: /etc/pam.d/samba > > > > > > - John T. > > > -- > > > John H Terpstra > > > Email: jht@samba.org > > > > > > > -- > John H Terpstra > Email: jht@samba.org >
is it possible to send feedback from this command back to the user during logon? ie: to commonicate no of days until password expires etc. Richard Coates. On Thu, 2003-03-06 at 11:13, John H Terpstra wrote:> On Wed, 5 Mar 2003, [iso-8859-1] Rodrigo Schmidt N?rmberg wrote: > > > To make a password expire on my Samba PDC I just need to edit the > > "/etc/shadow" or use the comand "chage -M days_before_expire user"? > > If you are using PAM that may work. How is your PAM configured? > ie: /etc/pam.d/samba > > - John T. > -- > John H Terpstra > Email: jht@samba.org > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba
On Sat, 8 Mar 2003, richard wrote:> is it possible to send feedback from this command back to the user > during logon? ie: to commonicate no of days until password expires etc.I have not tried to implement this in PAM. Others who have claim it is not possible. It is my impression that it can be done, but would involve creating a new PAM modules that simply picks up Unix account data and then writes this information to /etc/issue or /etc/motd or such file. The method would be rather convoluted and obviously not to every adminstrators tastes. As for implementing it is Samba, we are working to replicate the MS Windows NT/2K user access control technology in a manner that is independant of the way this works in the Unix OS. Integrating them can be done (it is now partially through PAM) but has too many horendous side effects. - John T.> Richard Coates. > > On Thu, 2003-03-06 at 11:13, John H Terpstra wrote: > > On Wed, 5 Mar 2003, [iso-8859-1] Rodrigo Schmidt N?rmberg wrote: > > > > > To make a password expire on my Samba PDC I just need to edit the > > > "/etc/shadow" or use the comand "chage -M days_before_expire user"? > > > > If you are using PAM that may work. How is your PAM configured? > > ie: /etc/pam.d/samba > > > > - John T. > > -- > > John H Terpstra > > Email: jht@samba.org > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: http://lists.samba.org/mailman/listinfo/samba > >-- John H Terpstra Email: jht@samba.org
(Sorry if this post is a duplicate, but I posted the message two days ago and still have not seen it on the list). Looking in the mail archives [1] I see someone else had a similar problem but I saw no resolution. I got the error: NT_STATUS_PASSWORD_EXPIRED. (btw error RAP2242). I'm 100% positive the user's system password was not expired, I was able to log into the system console, and via ssh. When I changed the password using smbpasswd, it worked again. But I'd like to know where I can change the samba password expiration time, or set it when creating a new samba user, so it will not expire at all, or not in one week, but a year or 6 months instead. Leif [1] http://www.mail-archive.com/debian-user@lists.debian.org/msg48708.html