samba - Apr 2003 - Password Aging Policies - SAMBA

I am new to SAMBA. I am using it with LINUX and I love it! Nice change from you
know who.

I am sorry if this is a lame question, but I am setting up a Primary Domain
Controller and a Backup Domain Controller. All the clients are Windows 2K or XP.
I need the clients to reset their passwords every 30 days. I am having a hard
time locating a procedure to set this feature. LINUX has 'chage' but
that does not seem to apply to SAMBA.

Does anyone know how I can set up a policy for my SAMBA clients. to force them
to change their passwords? I hope so, because I really want to use LINUX/SAMBA
for my domain controllers, and this is my last hurdle.

Thanks in advance,
Mark

On Thu, 3 Apr 2003, MARK LICHTENBERG wrote:
> I am new to SAMBA. I am using it with LINUX and I love it! Nice change
> from you know who.
>
> I am sorry if this is a lame question, but I am setting up a Primary
> Domain Controller and a Backup Domain Controller. All the clients are
> Windows 2K or XP. I need the clients to reset their passwords every 30
> days. I am having a hard time locating a procedure to set this feature.
> LINUX has 'chage' but that does not seem to apply to SAMBA.
>
> Does anyone know how I can set up a policy for my SAMBA clients. to
> force them to change their passwords? I hope so, because I really want
> to use LINUX/SAMBA for my domain controllers, and this is my last
> hurdle.
This is something that may make it into the Samba-3.0.0 code branch but is
not available with Samba-2.2.x.

- John T.
-- 
John H Terpstra
Email: jht@samba.org

>I am sorry if this is a lame question, but I am setting up a Primary
Domain Controller and a Backup Domain Controller. All the clients are
Windows >2K or XP. I need the clients to reset their passwords every 30
days. I am having a hard time locating a procedure to set this feature.
LINUX has >'chage' but that does not seem to apply to SAMBA.

Samba 2.x does not have this built in.  Looks like Samba 3.0 will have this
as a feature.  For now you get to do it yourself.  If you check the
archives you'll find a number of homebrew solutions to password aging.

Patrick

>Im looking for a solution to password aging, do u know where I can get
one?


I have not found any resources on the net that explain 'how to implement
password aging with Samba 2.x'.  Some folks have reported scripting their
own solutions, perhaps querying chage and then modifying login scripts, but
my guess is that these solutions are idiosyncratic and not fun to share
with the world.   It seems like unless you are up for scripting you own
solution from scratch, the thing to do is wait for Samba 3.

Patrick

Eyal, I cc this email to the list so others may contribute...
below are some simple password history scripting ideas i fiddled with a
while ago. It runs from command line with username as argument.. (Maybe
others have better ideas??)
I found little useful info on the web or in lists.
Not sure of the best way to interface/wrap with smbpasswd? 
problem--There doesen't seem to be a (samba)mechanism to communicate
errors/feedback to clients....Samba3 may have this ability sometime in
the future?
	Or..Xp-pro has lots of fancy user/pass/stuff already builtin, trouble
is you need group-policy/active-directory to make use of them. Unless
parts of A/D can be duplicated in samba one day?
	Local-policies(xp-pro) as far as user/password stuff goes, work fine in
a workgroup environment. You can use xp built in security tools
here.Supposedly its possible for local security policy(xp-pro) to apply
in a samba domain, but I couldn't get password stuff to work. This is
what I have found after many hours searching/testing. I hope others will
jump in with their contributions. script below to play with, regards,
Richard Coates.

#!/bin/sh

# samba TESTING password history script Jan 2003, R.Coates
# could use encrypted hash from smbpasswd file instead of plain text
# change vars to suit
#mypath=/etc/samba          # redhat path to samba config
mypath=/root                # test path
hist=5                      # number of passwords to keep
user=$1                     # username ;passwd as 1st argument

# setup check; does "history" exist; create, set permissions
if ! [ -d $mypath/history >/dev/null  ] ;then
  mkdir $mypath/history
  chmod 600 $mypath/history
fi
# at sambapassword change
#   1: new password is compared to history

#   2: if matched, error messg sent to user, retry
       # ** problem **
#   3: if not matched
#      new password appended to "history file"
#      execute smbpasswd -a newpasswd to update samba password

#   4: history file truncated to "n" most recent entries

echo "enter newpassword"
read newpass
read newpass1

if ` grep $newpass $mypath/history/$user >/dev/null`;then
  echo "password in recent history..try again"
else echo $newpass >> $mypath/history/$user    # update history
  echo $newpass   > $mypath/history/tmp        # write tmp password file
  echo $newpass1 >> $mypath/history/tmp
  tail -$hist $mypath/history/$user > $mypath/history/$user.tmp  #
truncate history
  mv -f $mypath/history/$user.tmp $mypath/history/$user

  #execute smbpasswd -a here
  smbpasswd -s -a $user < $mypath/history/tmp  # update samba password
from tmp file
  rm -f $mypath/history/tmp  >/dev/null        # remove tmp password
file
fi


On Sat, 2003-04-05 at 01:07, EyalM@cardonhealthcare.com
wrote:
> My scripting knowledge is good, but i dont know where to look in. do you 
> have any idea where to start?
> 
> 
> 
> 
> 
> Eyal Marantenboim <eyal@eyal.com.ar>
> 04/04/2003 07:14
> 
>  
>         To:     eyalm@cardonhealthcare.com
>         cc: 
>         Subject:        Fwd: Re: [Samba] Re: Password Aging Policies -
SAMBA
> 
> 
> >Subject: Re: [Samba] Re: Password Aging Policies - SAMBA
> >From: richard <rcoates@bigpond.net.au>
> >To: Eyal M <eyal@eyal.com.ar>
> >Date: 04 Apr 2003 08:27:01 +1000
> >
> >I am also... have been for months and have found zip. hows your
> >scripting knowledge?
> >Richard.
> >
> >On Fri, 2003-04-04 at 08:57, Eyal M wrote:
> >>  Im looking for a solution to password aging, do u know where I
can get
> one?
> >>
> >>  Eyal.
> >>
> >>  <ascannel@fws.gov> wrote in message
> >> 
news:OFEEB22D6F.70D864FE-ON89256CFD.007470D9-89256CFD.00755439@irm.r9.fws.go
> >>  v...
> >>  >
> >>  >
> >>  > >I am sorry if this is a lame question, but I am setting
up a
> Primary
> >>  > Domain Controller and a Backup Domain Controller. All the
clients
> are
> >>  > Windows >2K or XP. I need the clients to reset their
passwords every
> 30
> >>  > days. I am having a hard time locating a procedure to set
this
> feature.
> >>  > LINUX has >'chage' but that does not seem to
apply to SAMBA.
> >>  >
> >>  > Samba 2.x does not have this built in.  Looks like Samba 3.0
will
> have
> >>  this
> >>  > as a feature.  For now you get to do it yourself.  If you
check the
> >>  > archives you'll find a number of homebrew solutions to
password
> aging.
> >>  >
> >>  > Patrick
> >>  >
> >>  >
> >>  >
> >>  >
> >>  >
> >>  > --
> >>  > To unsubscribe from this list go to the following URL and
read the
> >>  > instructions:  http://lists.samba.org/mailman/listinfo/samba
> >>  >
> >>
> >>
> >>
> >>  --
> >>  To unsubscribe from this list go to the following URL and read
the
> >>  instructions:  http://lists.samba.org/mailman/listinfo/samba
> 
> 
>