On Wed, 28 Mar 2018 20:14:00 +1300 Andrew Bartlett <abartlet at samba.org> wrote:> > On Wed, 2018-03-28 at 03:09 -0400, Mark Foley via samba wrote: > > > > Actually, that didn't quite work. It did change the domain password, but didn't reset the > > expiration days. So today, when the previous password was set to expire. My account was locked > > out. I had to log onto the AD/DC as the Domain Administrator and do 'samba-tool user setpassword'. > > > > Suggestions on how I can get the expiration back to the 'Maximum password age' value? > > This sounds very strange. Are you sure the password changed on the DC? > Did the msDS-KeyVersionNumber change, did the pwdLastSet change?Yes, I know it changed on the DC because I was able to use the new password to log into another Windows workstation, and I use the domain credential to log into an internal web application. All these worked with the new PW. Later, I checked the Linux workstation's /etc/passwd to make sure there was no entry for my user (there wasn't). It does seem strange. Unfortunately, I did not check either msDS-KeyVersionNumber or pwdLastSet or even ldbsearch to get msDS-UserPasswordExpiryTimeComputed before I reset the user pw from the domain administrator. Next time! In this thread I've been given 3 more ideas on how to do this: samba-tool -U <myuser> user password smbpasswd kpasswd I'll try each and see which works best for me.
> On Wed, 28 Mar 2018 20:14:00 +1300 Andrew Bartlett <abartlet at samba.org> wrote: > > > > On Wed, 2018-03-28 at 03:09 -0400, Mark Foley via samba wrote: > > > > > > Actually, that didn't quite work. It did change the domain password, but didn't reset the > > > expiration days. So today, when the previous password was set to expire. My account was locked > > > out. I had to log onto the AD/DC as the Domain Administrator and do 'samba-tool user setpassword'. > > > > > > Suggestions on how I can get the expiration back to the 'Maximum password age' value? > > > > This sounds very strange. Are you sure the password changed on the DC? > > Did the msDS-KeyVersionNumber change, did the pwdLastSet change? > > Yes, I know it changed on the DC because I was able to use the new password to log into another > Windows workstation, and I use the domain credential to log into an internal web application. > All these worked with the new PW. Later, I checked the Linux workstation's /etc/passwd to make > sure there was no entry for my user (there wasn't). It does seem strange. > > Unfortunately, I did not check either msDS-KeyVersionNumber or pwdLastSet or even ldbsearch to > get msDS-UserPasswordExpiryTimeComputed before I reset the user pw from the domain > administrator. Next time! > > In this thread I've been given 3 more ideas on how to do this: > > samba-tool -U <myuser> user password > > smbpasswd > > kpasswd > > I'll try each and see which works best for me. >I'm having some issues with this problem. samba-tool -U <myuser> user password gives me the error: samba-tool: error: no such option: -U Perhaps my version is too old (4.4.16)? I did successfully change my domain password with kpasswd. I was able to log into Linux and Windows workstations, Dovecot client, and a web site which uses ntml_auth. I checked the msDS-UserPasswordExpiryTimeComputed and it was 89 days (the domain setting is max 90 days). I checked the next day (yesterday) and it was still 89 days. I went to log into the Windows workstation and Linux workstation today and was locked out! This is exactly the same thing that happened when I used passwd (see above). Any idea why? I'd like to try using smbpasswd next, but before I do I'd like to see the current msDS-UserPasswordExpiryTimeComputed. Of course, I cannot do this as my user because I can't log in. Is there a way to see this value as the domain administrator? I've tried: /usr/bin/ldbsearch --url=ldap://mail -b "DC=hprs,DC=local" -k yes -s sub "(&(sAMAccountType=805306368)(sAMAccountName=myuser))" msDS-UserPasswordExpiryTimeComputed but that is asking for myuser's password, even as Dom Admin. How can I view the user's password expiration settings? --Mark
On Fri, 30 Mar 2018 20:19:02 -0400 Mark Foley via samba <samba at lists.samba.org> wrote:> > On Wed, 28 Mar 2018 20:14:00 +1300 Andrew Bartlett > > <abartlet at samba.org> wrote: > > > > > > On Wed, 2018-03-28 at 03:09 -0400, Mark Foley via samba wrote: > > > > > > > > Actually, that didn't quite work. It did change the domain > > > > password, but didn't reset the expiration days. So today, when > > > > the previous password was set to expire. My account was locked > > > > out. I had to log onto the AD/DC as the Domain Administrator > > > > and do 'samba-tool user setpassword'. > > > > > > > > Suggestions on how I can get the expiration back to the > > > > 'Maximum password age' value? > > > > > > This sounds very strange. Are you sure the password changed on > > > the DC? Did the msDS-KeyVersionNumber change, did the pwdLastSet > > > change? > > > > Yes, I know it changed on the DC because I was able to use the new > > password to log into another Windows workstation, and I use the > > domain credential to log into an internal web application. All > > these worked with the new PW. Later, I checked the Linux > > workstation's /etc/passwd to make sure there was no entry for my > > user (there wasn't). It does seem strange. > > > > Unfortunately, I did not check either msDS-KeyVersionNumber or > > pwdLastSet or even ldbsearch to get > > msDS-UserPasswordExpiryTimeComputed before I reset the user pw from > > the domain administrator. Next time! > > > > In this thread I've been given 3 more ideas on how to do this: > > > > samba-tool -U <myuser> user password > > > > smbpasswd > > > > kpasswd > > > > I'll try each and see which works best for me. > > > > I'm having some issues with this problem. > > samba-tool -U <myuser> user password > > gives me the error: > > samba-tool: error: no such option: -U > > Perhaps my version is too old (4.4.16)?No, the syntax is wrong, it should be: samba-tool user password -U <myuser> This will then prompt the user for their 'oldpassword' and then the new password (twice). There is a gotcha though, as given it will only work on a DC, to do the password change from a Unix domain member, you need to add '--ipaddress=DCIPADDRESS'> > I did successfully change my domain password with kpasswd. I was > able to log into Linux and Windows workstations, Dovecot client, and > a web site which uses ntml_auth. I checked the > msDS-UserPasswordExpiryTimeComputed and it was 89 days (the domain > setting is max 90 days). I checked the next day (yesterday) and it > was still 89 days. I went to log into the Windows workstation and > Linux workstation today and was locked out! This is exactly the same > thing that happened when I used passwd (see above). > > Any idea why?Are you reading 'msDS-UserPasswordExpiryTimeComputed' with the ldbsearch below ? If so, is the result actually '89' are you using some calculation to get '89' ? I ask this because I would expect the attribute to contain something like '9223372036854775807'> > I'd like to try using smbpasswd next, but before I do I'd like to see > the current msDS-UserPasswordExpiryTimeComputed. Of course, I cannot > do this as my user because I can't log in. Is there a way to see this > value as the domain administrator? I've tried: > > /usr/bin/ldbsearch --url=ldap://mail -b "DC=hprs,DC=local" -k yes -s > sub "(&(sAMAccountType=805306368)(sAMAccountName=myuser))" > msDS-UserPasswordExpiryTimeComputed > > but that is asking for myuser's password, even as Dom Admin. > > How can I view the user's password expiration settings?If you are trying to find out if the users password has expired or is near to, you can use rpcclient for this. Rowland