samba - Oct 2017 - Some hint reading password expiration data...

On Mon, 23 Oct 2017 16:52:05 +0200
Marco Gaiarin via samba <samba at lists.samba.org> wrote:
> 
> Sorry, i came back on this, but:
> 
> > In another, more generic, way: how password policies are enforced?
> 
> still i need an answer on this question.
> 
> 
> I've done some tests, using my account, that pdbedit say:
> 
>  root at vdcsv1:~# LANG=C pdbedit -v gaio
>  Unix username:        gaio
>  NT username:          
>  Account Flags:        [U          ]
>  User SID:             S-1-5-21-160080369-3601385002-3131615632-1105
>  Primary Group SID:    S-1-5-21-160080369-3601385002-3131615632-513
>  Full Name:            Marco Gaiarin
>  Home Directory:       
>  HomeDir Drive:        (null)
>  Logon Script:         
>  Profile Path:         
>  Domain:               
>  Account desc:         Marco Gaiarin
>  Workstations:         
>  Munged dial:          
>  Logon time:           Tue, 03 Oct 2017 17:13:38 CEST
>  Logoff time:          0
>  Kickoff time:         Thu, 14 Sep 30828 04:48:05 CEST
>  Password last set:    Fri, 20 Oct 2017 16:52:13 CEST
>  Password can change:  Fri, 20 Oct 2017 16:52:13 CEST
>  Password must change: never
>  Last bad password   : 0
>  Bad password count  : 0
>  Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
> 
> and looking at my account (and with a bit of google ;-) i've found
> that, for example, password last set in LDAP is OK (minus a year,
> i've not understood why):
> 
>  root at vdcsv1:~# LANG=C date --date="@$(( ($(ldbsearch
> -H /var/lib/samba/private/sam.ldb -b 'DC=ad,DC=fvg,DC=lnf,DC=it'
> '(cn=gaio)' | grep '^pwdLastSet:' | cut -d ' ' -f
2) / 10000000) -
> 11676009600 ))" Thu Oct 20 16:52:13 CEST 2016
> 
> If i try to do the same with 'accountExpires':
> 
>  root at vdcsv1:~# LANG=C date --date="@$(( ($(ldbsearch
> -H /var/lib/samba/private/sam.ldb -b 'DC=ad,DC=fvg,DC=lnf,DC=it'
> '(cn=gaio)' | grep '^accountExpires:' | cut -d ' '
-f 2) / 10000000)
> - 11676009600 ))" Wed Sep 15 04:48:05 CEST 30827
> 
> but google say me:
> 
https://msdn.microsoft.com/en-us/library/ms675098%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396
> 
> and:
> 	root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b
> 'DC=ad,DC=fvg,DC=lnf,DC=it' '(cn=gaio)' | grep
'^accountExpires:' |
> cut -d ' ' -f 2 9223372036854775807
> 
> so 'account never expires' matches with 'never'.
> 
> 
> Also, if i look at 'userAccountControl' i found 512 as a value:
> 	root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b
> 'DC=ad,DC=fvg,DC=lnf,DC=it' '(cn=gaio)' | grep
'^userAccountControl:'
> | cut -d ' ' -f 2 512
> 
> so 0x200 (ADS_UF_NORMAL_ACCOUNT as stated by
> https://msdn.microsoft.com/en-us/library/ms680832(v=vs.85).aspx).
> 
> If i disable it:
> 	root at vdcsv1:~# pdbedit --account-control="[D]" gaio
> 	[...]
> 	Account Flags:        [DU         ]
> 	[...]
> 	root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b
> 'DC=ad,DC=fvg,DC=lnf,DC=it' '(cn=gaio)' | grep
'^userAccountControl:'
> | cut -d ' ' -f 2 514
> 
> so 0x200 + 0x2, ADS_UF_NORMAL_ACCOUNT && ADS_UF_ACCOUNTDISABLE.
> 
> If i set 'do not expire':
> 	root at vdcsv1:~# pdbedit --account-control="[X]" gaio
> 	[...]
> 	Account Flags:        [UX         ]
> 	[...]
> 	root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b
> 'DC=ad,DC=fvg,DC=lnf,DC=it' '(cn=gaio)' | grep
'^userAccountControl:'
> | cut -d ' ' -f 2 66048
> 
> so again 0x200 + 0x10000, ADS_UF_NORMAL_ACCOUNT &&
> ADS_UF_DONT_EXPIRE_PASSWD.
> 
> So, seems to me that 'pdbedit' is still a useful and coherent tool
to
> set account flags.
> 
> 
> 
> With these experiments, i split my question in two part:
> 
> 
> 1) considering that 'accountExpires' probably is here for other
things
>  (eg, setting an account expiration ''per se'', not for
setting
> *password* expiration...), password expiration policy are enforced
> ''automatically'' using last password change and policy
value?!
> In other way: to have the password expiration date, i've to
> ''manually'' compute the date adding the policy days to the
last
> password set date?
> Supposing i'm not using (only) ''default'' password
policy, but i use
> different password policies for different OUs (in GPOs), how can i
> determine the 'max-pwd-age' policy value from GPOs?
> 
> 2) as seems to be, 'pdbedit' is still a valuable tool to handle
this
>  things (eg, read password dates and setting account flags)?
> 
> 
> Thanks.
> 
The main problem here is that you are still looking at the problem from
the NT perpective, 'accountExpires' has nothing to do with when the
password expires ;-)

Setting 'userAccountControl' to 514, disables the account, it
doesn't
do anything to the password.

There are a few attributes in play here, one of which you haven't
mentioned: 'ms-DS-User-Account-Control-Computed'. The one you need to
look at is 'pwdLastSet', this is used with 'maxPwdAge' to
calculate
when the password expires.

The easiest way to find info on this subject is to remember that you
are now using Active Directory and use this in an internet search,
along with 'pwdlastSet' and 'maxPwdAge', don't mention Samba
in the
search.

Rowland

Mandi! Rowland Penny via samba
  In chel di` si favelave...
> The main problem here is that you are still looking at the problem from
> the NT perpective,
Seems obvious to me. I came from 10+ years of experience on Samba3 NT
domains, that indeed had excellent documentation and a more (for me)
UNIX-minded approach.

I was (ab)used at samba tools (smbpasswd, pdbedit, wbinfo, ...), and i
can see that many of them still work on AD mode.

Still, every tool do something a bit different of the others, and still
some things cannot be done now by this tools, or by samba-tool that i
suppose aim to substitute all of them.

I'm tring to understand, moving away from NT and jumping in AD. Sorry
for my messages, but it is very hard to search for some info without
clue...


> 'accountExpires' has nothing to do with when the password expires
;-)
I know. But in NT mode, samba (or was the smbldap-tools?) was used to
write in 'accountExpires' explicitly, so i'm asking about it.

> Setting 'userAccountControl' to 514, disables the account, it
doesn't
> do anything to the password.
Again i know that. I was asking effectively if 'pdbedit' is still an
affordable tool to write account control in AD.

> The one you need to
> look at is 'pwdLastSet', this is used with 'maxPwdAge' to
calculate
> when the password expires.
Ok, i've found that attribute, on the 'root' of the LDAP tree; but i
think, measurement unit apart, it is the same of:

	root at vdcsv1:~# samba-tool domain passwordsettings show | grep ^Maximum
	Maximum password age (days): 90

right?

> The easiest way to find info on this subject is to remember that you
> are now using Active Directory and use this in an internet search,
> along with 'pwdlastSet' and 'maxPwdAge', don't mention
Samba in the
> search.
Ok, good. But still i've not the answer of one of my question, indeed.

Password expiration are computed ''dynamically'' (now <
pwdlastSet +
maxPwdAge), or the value of password expiration (pwdlastSet +
maxPwdAge) are saved (or accessible) somewhere?


Thanks.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

On Tue, 24 Oct 2017 18:37:09 +0200
Marco Gaiarin via samba <samba at lists.samba.org> wrote:
> Mandi! Rowland Penny via samba
>   In chel di` si favelave...
> 
> > The main problem here is that you are still looking at the problem
> > from the NT perpective,
> 
> Seems obvious to me. I came from 10+ years of experience on Samba3 NT
> domains, that indeed had excellent documentation and a more (for me)
> UNIX-minded approach.
> 
> I was (ab)used at samba tools (smbpasswd, pdbedit, wbinfo, ...), and i
> can see that many of them still work on AD mode.
> 
> Still, every tool do something a bit different of the others, and
> still some things cannot be done now by this tools, or by samba-tool
> that i suppose aim to substitute all of them.
> 
> I'm tring to understand, moving away from NT and jumping in AD. Sorry
> for my messages, but it is very hard to search for some info without
> clue...
No problem, as I keep saying, the only stupid question is the one you
don't ask ;-)
> 
> 
> 
> > 'accountExpires' has nothing to do with when the password
> > expires ;-)
> 
> I know. But in NT mode, samba (or was the smbldap-tools?) was used to
> write in 'accountExpires' explicitly, so i'm asking about it.
I never use pdbedit, so don't know how it works.
> 
> 
> > Setting 'userAccountControl' to 514, disables the account, it
> > doesn't do anything to the password.
> 
> Again i know that. I was asking effectively if 'pdbedit' is still
an
> affordable tool to write account control in AD.
See here for info on 'userAccountControl':

https://support.microsoft.com/en-gb/help/305144/how-to-use-the-useraccountcontrol-flags-to-manipulate-user-account-pro

I believe pdbedit will do what you are asking, but as I don't use it, I
don't know how to.
> 
> > The one you need to
> > look at is 'pwdLastSet', this is used with 'maxPwdAge'
to calculate
> > when the password expires.
> 
> Ok, i've found that attribute, on the 'root' of the LDAP tree;
but i
> think, measurement unit apart, it is the same of:
> 
> 	root at vdcsv1:~# samba-tool domain passwordsettings show | grep
> ^Maximum Maximum password age (days): 90
> 
> right?
Somebody has changed it ;-)
The default is '42'
> 
> 
> > The easiest way to find info on this subject is to remember that you
> > are now using Active Directory and use this in an internet search,
> > along with 'pwdlastSet' and 'maxPwdAge', don't
mention Samba in the
> > search.
> 
> Ok, good. But still i've not the answer of one of my question, indeed.
> 
> Password expiration are computed ''dynamically'' (now <
pwdlastSet +
> maxPwdAge), or the value of password expiration (pwdlastSet +
> maxPwdAge) are saved (or accessible) somewhere?
> 
 
Good question, at the moment it is 'dynamic', but there is the
'msDS-UserPasswordExpiryTimeComputed' attribute but it doesn't seem
to
be used yet Samba.

Rowland

On Tue, 2017-10-24 at 18:37 +0200, Marco Gaiarin via samba
wrote:
> Password expiration are computed ''dynamically'' (now <
pwdlastSet +
> maxPwdAge), or the value of password expiration (pwdlastSet +
> maxPwdAge) are saved (or accessible) somewhere?
Dynamically.

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba