On Mon, 23 Oct 2017 16:52:05 +0200 Marco Gaiarin via samba <samba at lists.samba.org> wrote:> > Sorry, i came back on this, but: > > > In another, more generic, way: how password policies are enforced? > > still i need an answer on this question. > > > I've done some tests, using my account, that pdbedit say: > > root at vdcsv1:~# LANG=C pdbedit -v gaio > Unix username: gaio > NT username: > Account Flags: [U ] > User SID: S-1-5-21-160080369-3601385002-3131615632-1105 > Primary Group SID: S-1-5-21-160080369-3601385002-3131615632-513 > Full Name: Marco Gaiarin > Home Directory: > HomeDir Drive: (null) > Logon Script: > Profile Path: > Domain: > Account desc: Marco Gaiarin > Workstations: > Munged dial: > Logon time: Tue, 03 Oct 2017 17:13:38 CEST > Logoff time: 0 > Kickoff time: Thu, 14 Sep 30828 04:48:05 CEST > Password last set: Fri, 20 Oct 2017 16:52:13 CEST > Password can change: Fri, 20 Oct 2017 16:52:13 CEST > Password must change: never > Last bad password : 0 > Bad password count : 0 > Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF > > and looking at my account (and with a bit of google ;-) i've found > that, for example, password last set in LDAP is OK (minus a year, > i've not understood why): > > root at vdcsv1:~# LANG=C date --date="@$(( ($(ldbsearch > -H /var/lib/samba/private/sam.ldb -b 'DC=ad,DC=fvg,DC=lnf,DC=it' > '(cn=gaio)' | grep '^pwdLastSet:' | cut -d ' ' -f 2) / 10000000) - > 11676009600 ))" Thu Oct 20 16:52:13 CEST 2016 > > If i try to do the same with 'accountExpires': > > root at vdcsv1:~# LANG=C date --date="@$(( ($(ldbsearch > -H /var/lib/samba/private/sam.ldb -b 'DC=ad,DC=fvg,DC=lnf,DC=it' > '(cn=gaio)' | grep '^accountExpires:' | cut -d ' ' -f 2) / 10000000) > - 11676009600 ))" Wed Sep 15 04:48:05 CEST 30827 > > but google say me: > msdn.microsoft.com/en-us/library/ms675098(v=vs.85).aspx?f=255&MSPPError=-2147217396 > > and: > root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b > 'DC=ad,DC=fvg,DC=lnf,DC=it' '(cn=gaio)' | grep '^accountExpires:' | > cut -d ' ' -f 2 9223372036854775807 > > so 'account never expires' matches with 'never'. > > > Also, if i look at 'userAccountControl' i found 512 as a value: > root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b > 'DC=ad,DC=fvg,DC=lnf,DC=it' '(cn=gaio)' | grep '^userAccountControl:' > | cut -d ' ' -f 2 512 > > so 0x200 (ADS_UF_NORMAL_ACCOUNT as stated by > msdn.microsoft.com/en-us/library/ms680832(v=vs.85).aspx). > > If i disable it: > root at vdcsv1:~# pdbedit --account-control="[D]" gaio > [...] > Account Flags: [DU ] > [...] > root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b > 'DC=ad,DC=fvg,DC=lnf,DC=it' '(cn=gaio)' | grep '^userAccountControl:' > | cut -d ' ' -f 2 514 > > so 0x200 + 0x2, ADS_UF_NORMAL_ACCOUNT && ADS_UF_ACCOUNTDISABLE. > > If i set 'do not expire': > root at vdcsv1:~# pdbedit --account-control="[X]" gaio > [...] > Account Flags: [UX ] > [...] > root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b > 'DC=ad,DC=fvg,DC=lnf,DC=it' '(cn=gaio)' | grep '^userAccountControl:' > | cut -d ' ' -f 2 66048 > > so again 0x200 + 0x10000, ADS_UF_NORMAL_ACCOUNT && > ADS_UF_DONT_EXPIRE_PASSWD. > > So, seems to me that 'pdbedit' is still a useful and coherent tool to > set account flags. > > > > With these experiments, i split my question in two part: > > > 1) considering that 'accountExpires' probably is here for other things > (eg, setting an account expiration ''per se'', not for setting > *password* expiration...), password expiration policy are enforced > ''automatically'' using last password change and policy value?! > In other way: to have the password expiration date, i've to > ''manually'' compute the date adding the policy days to the last > password set date? > Supposing i'm not using (only) ''default'' password policy, but i use > different password policies for different OUs (in GPOs), how can i > determine the 'max-pwd-age' policy value from GPOs? > > 2) as seems to be, 'pdbedit' is still a valuable tool to handle this > things (eg, read password dates and setting account flags)? > > > Thanks. >The main problem here is that you are still looking at the problem from the NT perpective, 'accountExpires' has nothing to do with when the password expires ;-) Setting 'userAccountControl' to 514, disables the account, it doesn't do anything to the password. There are a few attributes in play here, one of which you haven't mentioned: 'ms-DS-User-Account-Control-Computed'. The one you need to look at is 'pwdLastSet', this is used with 'maxPwdAge' to calculate when the password expires. The easiest way to find info on this subject is to remember that you are now using Active Directory and use this in an internet search, along with 'pwdlastSet' and 'maxPwdAge', don't mention Samba in the search. Rowland
Mandi! Rowland Penny via samba In chel di` si favelave...> The main problem here is that you are still looking at the problem from > the NT perpective,Seems obvious to me. I came from 10+ years of experience on Samba3 NT domains, that indeed had excellent documentation and a more (for me) UNIX-minded approach. I was (ab)used at samba tools (smbpasswd, pdbedit, wbinfo, ...), and i can see that many of them still work on AD mode. Still, every tool do something a bit different of the others, and still some things cannot be done now by this tools, or by samba-tool that i suppose aim to substitute all of them. I'm tring to understand, moving away from NT and jumping in AD. Sorry for my messages, but it is very hard to search for some info without clue...> 'accountExpires' has nothing to do with when the password expires ;-)I know. But in NT mode, samba (or was the smbldap-tools?) was used to write in 'accountExpires' explicitly, so i'm asking about it.> Setting 'userAccountControl' to 514, disables the account, it doesn't > do anything to the password.Again i know that. I was asking effectively if 'pdbedit' is still an affordable tool to write account control in AD.> The one you need to > look at is 'pwdLastSet', this is used with 'maxPwdAge' to calculate > when the password expires.Ok, i've found that attribute, on the 'root' of the LDAP tree; but i think, measurement unit apart, it is the same of: root at vdcsv1:~# samba-tool domain passwordsettings show | grep ^Maximum Maximum password age (days): 90 right?> The easiest way to find info on this subject is to remember that you > are now using Active Directory and use this in an internet search, > along with 'pwdlastSet' and 'maxPwdAge', don't mention Samba in the > search.Ok, good. But still i've not the answer of one of my question, indeed. Password expiration are computed ''dynamically'' (now < pwdlastSet + maxPwdAge), or the value of password expiration (pwdlastSet + maxPwdAge) are saved (or accessible) somewhere? Thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' lanostrafamiglia.it Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
On Tue, 24 Oct 2017 18:37:09 +0200 Marco Gaiarin via samba <samba at lists.samba.org> wrote:> Mandi! Rowland Penny via samba > In chel di` si favelave... > > > The main problem here is that you are still looking at the problem > > from the NT perpective, > > Seems obvious to me. I came from 10+ years of experience on Samba3 NT > domains, that indeed had excellent documentation and a more (for me) > UNIX-minded approach. > > I was (ab)used at samba tools (smbpasswd, pdbedit, wbinfo, ...), and i > can see that many of them still work on AD mode. > > Still, every tool do something a bit different of the others, and > still some things cannot be done now by this tools, or by samba-tool > that i suppose aim to substitute all of them. > > I'm tring to understand, moving away from NT and jumping in AD. Sorry > for my messages, but it is very hard to search for some info without > clue...No problem, as I keep saying, the only stupid question is the one you don't ask ;-)> > > > > 'accountExpires' has nothing to do with when the password > > expires ;-) > > I know. But in NT mode, samba (or was the smbldap-tools?) was used to > write in 'accountExpires' explicitly, so i'm asking about it.I never use pdbedit, so don't know how it works.> > > > Setting 'userAccountControl' to 514, disables the account, it > > doesn't do anything to the password. > > Again i know that. I was asking effectively if 'pdbedit' is still an > affordable tool to write account control in AD.See here for info on 'userAccountControl': support.microsoft.com/en-gb/help/305144/how-to-use-the-useraccountcontrol-flags-to-manipulate-user-account-pro I believe pdbedit will do what you are asking, but as I don't use it, I don't know how to.> > > The one you need to > > look at is 'pwdLastSet', this is used with 'maxPwdAge' to calculate > > when the password expires. > > Ok, i've found that attribute, on the 'root' of the LDAP tree; but i > think, measurement unit apart, it is the same of: > > root at vdcsv1:~# samba-tool domain passwordsettings show | grep > ^Maximum Maximum password age (days): 90 > > right?Somebody has changed it ;-) The default is '42'> > > > The easiest way to find info on this subject is to remember that you > > are now using Active Directory and use this in an internet search, > > along with 'pwdlastSet' and 'maxPwdAge', don't mention Samba in the > > search. > > Ok, good. But still i've not the answer of one of my question, indeed. > > Password expiration are computed ''dynamically'' (now < pwdlastSet + > maxPwdAge), or the value of password expiration (pwdlastSet + > maxPwdAge) are saved (or accessible) somewhere? >Good question, at the moment it is 'dynamic', but there is the 'msDS-UserPasswordExpiryTimeComputed' attribute but it doesn't seem to be used yet Samba. Rowland
Andrew Bartlett
2017-Oct-24 17:50 UTC
[Samba] Some hint reading password expiration data...
On Tue, 2017-10-24 at 18:37 +0200, Marco Gaiarin via samba wrote:> Password expiration are computed ''dynamically'' (now < pwdlastSet + > maxPwdAge), or the value of password expiration (pwdlastSet + > maxPwdAge) are saved (or accessible) somewhere?Dynamically. Andrew Bartlett -- Andrew Bartlett samba.org/~abartlet Authentication Developer, Samba Team samba.org Samba Developer, Catalyst IT catalyst.net.nz/services/samba