samba - Nov 2009 - password expiration problem

Greetings. I have problem with password expiration problem i cannot 
handle myself, so i wrote in this list.
Recently i discovered that a newly created samba account has already 
expired password.

smbldap-useradd -a -d /home/tommy -G education -s /bin/bash -M tommy -c 
"Tommy T." tommy
smbldap-passwd tommy

getent shadow
user:*:::::::0
user2:*:::::::0
user3:*:::365::::0
tommy:*:::365::::0

su tommy
pam_mount password:
Password aged
Enter login(LDAP) password:

auth.log
 /dev/pts/5 user:tommy
Nov 26 16:47:34 it-chief su[5638]: pam_unix(su:auth): authentication 
failure; logname= uid=1001 euid=0 tty=/dev/pts/5 ruser=user rhost=  
user=tommy
Nov 26 16:47:34 it-chief su[5638]: pam_unix(su:account): expired 
password for user tommy (password aged)
Nov 26 16:47:34 it-chief su[5638]: pam_unix(su:chauthtok): user
"tommy"
does not exist in /etc/passwd
Nov 26 16:48:12 it-chief su[5638]: pam_chauthtok: Authentication token 
manipulation error
Nov 26 16:48:12 it-chief su[5638]: FAILED su for tommy by user

smb.conf
[global]
   workgroup = WORKGROUP
   server string = %h server
;   wins server = w.x.y.z
   dns proxy = no
;   name resolve order = lmhosts host wins bcast
;   interfaces = 127.0.0.0/8 eth0
;   bind interfaces only = yes
   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog only = yes
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
log level = 3 vfs:2
   security = user
   encrypt passwords = true
   obey pam restrictions = no
; unix password sync = no
ldap passwd sync = yes
passwd program = /usr/sbin/smbldap-passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n 
*all*authentication*tokens*updated
   pam password change = no
passdb backend = ldapsam:ldap://auth.workgroup
ldap ssl = no
ldap admin dn = cn=admin,dc=workgroup
ldap suffix = dc=workgroup
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Users
unix extensions = no
;   domain logons = yes
;   logon path = \\%N\profiles\%U
;   logon drive = H:
;   logon script = logon.cmd
add user script = /usr/sbin/smbldap-useradd -m "%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
ldap delete dn = yes
delete user script = /usr/sbin/smbldap-userdel "%u"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u"
"%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u"
"%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g"
"%u"

smbldap.conf
SID="S-1-5-21-482339686-3080510186-2817641028"
sambaDomain="WORKGROUP"
slaveLDAP="auth.workgroup"
slavePort="389"
masterLDAP="auth.workgroup"
masterPort="389"
ldapTLS="0"
verify="none"
suffix="dc=workgroup"
usersdn="ou=Users,${suffix}"
computersdn="ou=Computers,${suffix}"
groupsdn="ou=Groups,${suffix}"
idmapdn="ou=Users,${suffix}"
sambaUnixIdPooldn="sambaDomainName=WORKGROUP,${suffix}"
scope="sub"
hash_encrypt="SSHA"
crypt_salt_format="%s"
userLoginShell="/bin/bash"
userHome="/home/%U"
userHomeDirectoryMode="700"
userGecos="System User"
defaultUserGid="513"
defaultComputerGid="515"
skeletonDir="/etc/skel"
defaultMaxPasswordAge="365"
userSmbHome="\\NAS\%U"
userProfile="\\NAS\profiles\%U"
userHomeDrive="H:"
userScript="%U.cmd"
mailDomain="workgroup"
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"


slapd.conf
include        /etc/ldap/schema/core.schema
include        /etc/ldap/schema/cosine.schema
include        /etc/ldap/schema/inetorgperson.schema
include        /etc/ldap/schema/misc.schema
include        /etc/ldap/schema/nis.schema
include        /etc/ldap/schema/samba.schema
pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd/slapd.args
loglevel        256
modulepath    /usr/lib/ldap
moduleload    back_bdb
sizelimit 500
tool-threads 1
backend        bdb
database        bdb
suffix          "dc=workgroup"
directory       "/var/lib/ldap"
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
index    objectClass                eq
index    cn                    pres,sub,eq
index    sn                    pres,sub,eq
index    uid                    pres,sub,eq
index    displayName                pres,sub,eq
index    default                    sub
index    uidNumber                eq
index    gidNumber                eq
index    mail,givenName                eq,subinitial
index    dc                    eq
index    memberUid                eq
index    sambaSID                eq
index    sambaPrimaryGroupSID            eq
index    sambaDomainName                eq
index    sambaGroupType                eq
index    sambaSIDList                eq
index    uniqueMember                eq
lastmod         on
checkpoint      512 30
access to 
attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword
    by dn="cn=admin,dc=workgroup" write
    by anonymous auth
    by self write
    by * none

access to dn.base="" by * read

access to *
        by dn="cn=admin,dc=workgroup" write
        by * read

smbldap-usershow tommy
dn: uid=tommy,ou=Users,dc=workgroup
objectClass: 
top,person,organizationalPerson,inetOrgPerson,posixAccount,shadowAccount,sambaSamAccount,inetLocalMailRecipient
cn: tommy
sn: tommy
givenName: tommy
uid: tommy
uidNumber: 1099
gidNumber: 513
homeDirectory: /home/tommy
loginShell: /bin/bash
gecos: T. Tommy
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
displayName: tommy
sambaSID: S-1-5-21-482339686-3080510186-2817641028-3198
sambaLogonScript: tommy.cmd
sambaProfilePath: \\NAS\profiles\tommy
sambaHomePath: \\NAS\tommy
sambaPrimaryGroupSID: S-1-5-21-482339686-3080510186-2817641028-513
sambaHomeDrive: H:
mailLocalAddress: tommy
mail: tommy at workgroup
sambaLMPassword: CCF9155E3E7DB453AAD3B435B51404EE
sambaAcctFlags: [U]
sambaNTPassword: 3DBDE697D71690A769204BEB12283678
sambaPwdLastSet: 1259217976
sambaPwdMustChange: 1290753976
userPassword: {SSHA}baNet7XxM3EaPORUnwRCYNSXTlF0cE5z
shadowLastChange: 14574
shadowMax: 365

smbd --version
Version 3.2.5

debian lenny

slapd -V
@(#) $OpenLDAP: slapd 2.4.11 (Oct 12 2008 04:13:21) $
    buildd at ninsei:/build/buildd/openldap-2.4.11/debian/build/servers/slapd

Thanks in advance

Greetings. I have problem with password expiration problem i cannot 
handle myself, so i wrote in this list.
> Recently i discovered that a newly created samba account has already 
> expired password.
>
> smbldap-useradd -a -d /home/tommy -G education -s /bin/bash -M tommy 
> -c "Tommy T." tommy
> smbldap-passwd tommy
>
> getent shadow
> user:*:::::::0
> user2:*:::::::0
> user3:*:::365::::0
> tommy:*:::365::::0
>
> su tommy
> pam_mount password:
> Password aged
> Enter login(LDAP) password:
>
> auth.log
> /dev/pts/5 user:tommy
> Nov 26 16:47:34 it-chief su[5638]: pam_unix(su:auth): authentication 
> failure; logname= uid=1001 euid=0 tty=/dev/pts/5 ruser=user rhost=  
> user=tommy
> Nov 26 16:47:34 it-chief su[5638]: pam_unix(su:account): expired 
> password for user tommy (password aged)
> Nov 26 16:47:34 it-chief su[5638]: pam_unix(su:chauthtok): user 
> "tommy" does not exist in /etc/passwd
> Nov 26 16:48:12 it-chief su[5638]: pam_chauthtok: Authentication token 
> manipulation error
> Nov 26 16:48:12 it-chief su[5638]: FAILED su for tommy by user
>
> smb.conf
> [global]
>   workgroup = WORKGROUP
>   server string = %h server
> ;   wins server = w.x.y.z
>   dns proxy = no
> ;   name resolve order = lmhosts host wins bcast
> ;   interfaces = 127.0.0.0/8 eth0
> ;   bind interfaces only = yes
>   log file = /var/log/samba/log.%m
>   max log size = 1000
>   syslog only = yes
>   syslog = 0
>   panic action = /usr/share/samba/panic-action %d
> log level = 3 vfs:2
>   security = user
>   encrypt passwords = true
>   obey pam restrictions = no
> ; unix password sync = no
> ldap passwd sync = yes
> passwd program = /usr/sbin/smbldap-passwd %u
> passwd chat = *New*password* %n\n *Retype*new*password* %n\n 
> *all*authentication*tokens*updated
>   pam password change = no
> passdb backend = ldapsam:ldap://auth.workgroup
> ldap ssl = no
> ldap admin dn = cn=admin,dc=workgroup
> ldap suffix = dc=workgroup
> ldap group suffix = ou=Groups
> ldap user suffix = ou=Users
> ldap machine suffix = ou=Computers
> ldap idmap suffix = ou=Users
> unix extensions = no
> ;   domain logons = yes
> ;   logon path = \\%N\profiles\%U
> ;   logon drive = H:
> ;   logon script = logon.cmd
> add user script = /usr/sbin/smbldap-useradd -m "%u"
> add machine script = /usr/sbin/smbldap-useradd -w "%u"
> add group script = /usr/sbin/smbldap-groupadd -p "%g"
> ldap delete dn = yes
> delete user script = /usr/sbin/smbldap-userdel "%u"
> delete group script = /usr/sbin/smbldap-groupdel "%g"
> add user to group script = /usr/sbin/smbldap-groupmod -m "%u"
"%g"
> delete user from group script = /usr/sbin/smbldap-groupmod -x
"%u" "%g"
> set primary group script = /usr/sbin/smbldap-usermod -g "%g"
"%u"
>
> smbldap.conf
> SID="S-1-5-21-482339686-3080510186-2817641028"
> sambaDomain="WORKGROUP"
> slaveLDAP="auth.workgroup"
> slavePort="389"
> masterLDAP="auth.workgroup"
> masterPort="389"
> ldapTLS="0"
> verify="none"
> suffix="dc=workgroup"
> usersdn="ou=Users,${suffix}"
> computersdn="ou=Computers,${suffix}"
> groupsdn="ou=Groups,${suffix}"
> idmapdn="ou=Users,${suffix}"
> sambaUnixIdPooldn="sambaDomainName=WORKGROUP,${suffix}"
> scope="sub"
> hash_encrypt="SSHA"
> crypt_salt_format="%s"
> userLoginShell="/bin/bash"
> userHome="/home/%U"
> userHomeDirectoryMode="700"
> userGecos="System User"
> defaultUserGid="513"
> defaultComputerGid="515"
> skeletonDir="/etc/skel"
> defaultMaxPasswordAge="365"
> userSmbHome="\\NAS\%U"
> userProfile="\\NAS\profiles\%U"
> userHomeDrive="H:"
> userScript="%U.cmd"
> mailDomain="workgroup"
> with_smbpasswd="0"
> smbpasswd="/usr/bin/smbpasswd"
> with_slappasswd="0"
> slappasswd="/usr/sbin/slappasswd"
>
>
> slapd.conf
> include        /etc/ldap/schema/core.schema
> include        /etc/ldap/schema/cosine.schema
> include        /etc/ldap/schema/inetorgperson.schema
> include        /etc/ldap/schema/misc.schema
> include        /etc/ldap/schema/nis.schema
> include        /etc/ldap/schema/samba.schema
> pidfile         /var/run/slapd/slapd.pid
> argsfile        /var/run/slapd/slapd.args
> loglevel        256
> modulepath    /usr/lib/ldap
> moduleload    back_bdb
> sizelimit 500
> tool-threads 1
> backend        bdb
> database        bdb
> suffix          "dc=workgroup"
> directory       "/var/lib/ldap"
> dbconfig set_cachesize 0 2097152 0
> dbconfig set_lk_max_objects 1500
> dbconfig set_lk_max_locks 1500
> dbconfig set_lk_max_lockers 1500
> index    objectClass                eq
> index    cn                    pres,sub,eq
> index    sn                    pres,sub,eq
> index    uid                    pres,sub,eq
> index    displayName                pres,sub,eq
> index    default                    sub
> index    uidNumber                eq
> index    gidNumber                eq
> index    mail,givenName                eq,subinitial
> index    dc                    eq
> index    memberUid                eq
> index    sambaSID                eq
> index    sambaPrimaryGroupSID            eq
> index    sambaDomainName                eq
> index    sambaGroupType                eq
> index    sambaSIDList                eq
> index    uniqueMember                eq
> lastmod         on
> checkpoint      512 30
> access to 
> attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword
>    by dn="cn=admin,dc=workgroup" write
>    by anonymous auth
>    by self write
>    by * none
>
> access to dn.base="" by * read
>
> access to *
>        by dn="cn=admin,dc=workgroup" write
>        by * read
>
> smbldap-usershow tommy
> dn: uid=tommy,ou=Users,dc=workgroup
> objectClass: 
>
top,person,organizationalPerson,inetOrgPerson,posixAccount,shadowAccount,sambaSamAccount,inetLocalMailRecipient
>
> cn: tommy
> sn: tommy
> givenName: tommy
> uid: tommy
> uidNumber: 1099
> gidNumber: 513
> homeDirectory: /home/tommy
> loginShell: /bin/bash
> gecos: T. Tommy
> sambaLogonTime: 0
> sambaLogoffTime: 2147483647
> sambaKickoffTime: 2147483647
> sambaPwdCanChange: 0
> displayName: tommy
> sambaSID: S-1-5-21-482339686-3080510186-2817641028-3198
> sambaLogonScript: tommy.cmd
> sambaProfilePath: \\NAS\profiles\tommy
> sambaHomePath: \\NAS\tommy
> sambaPrimaryGroupSID: S-1-5-21-482339686-3080510186-2817641028-513
> sambaHomeDrive: H:
> mailLocalAddress: tommy
> mail: tommy at workgroup
> sambaLMPassword: CCF9155E3E7DB453AAD3B435B51404EE
> sambaAcctFlags: [U]
> sambaNTPassword: 3DBDE697D71690A769204BEB12283678
> sambaPwdLastSet: 1259217976
> sambaPwdMustChange: 1290753976
> userPassword: {SSHA}baNet7XxM3EaPORUnwRCYNSXTlF0cE5z
> shadowLastChange: 14574
> shadowMax: 365
>
> smbd --version
> Version 3.2.5
>
> debian lenny
>
> slapd -V
> @(#) $OpenLDAP: slapd 2.4.11 (Oct 12 2008 04:13:21) $
>    buildd at
ninsei:/build/buildd/openldap-2.4.11/debian/build/servers/slapd
>
> Thanks in advance
I've changed this in slapd.conf
Code:

#access to attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword
access to attrs=userPassword,sambaNTPassword,sambaLMPassword

getent shadow now shows:

Code:

user:*:::::::0
user2:*:::::::0
tommy:*:14579::365::::0

And this way i've managed to login as user tommy.