On Sat, 31 Mar 2018 11:42:07 -0400 Mark Foley via samba <samba at lists.samba.org> wrote:> On Sat, 31 Mar 2018 12:25:14 +0100 Rowland Penny <rpenny at samba.org> > wrote: > > > > This will then prompt the user for their 'oldpassword' and then the > > new password (twice). There is a gotcha though, as given it will > > only work on a DC, to do the password change from a Unix domain > > member, you need to add '--ipaddress=DCIPADDRESS' > > I'll try that after I've figured out what the user's expiration > status is. With respect to this command, would the full syntax be: > > samba-tool user password -U <myuser> --ipaddress=192.168.0.2 > > I've tried that with no syntax error, but haven't pulled the trigger > yet to change the password. I've also tried --ipaddress=dchostname > which also did not give a syntax error.Never tried it with the hostname, but I think the option name gives a big hint ;-)> > Are you reading 'msDS-UserPasswordExpiryTimeComputed' with the > > ldbsearch below ? If so, is the result actually '89' are you using > > some calculation to get '89' ? I ask this because I would expect the > > attribute to contain something like '9223372036854775807' > > Yes, the same ldbsearch. In fact, that and the calculation were > given to me by you a couple of years ago. The rest of the > calculation is: >OK> > > > If you are trying to find out if the users password has expired or > > is near to, you can use rpcclient for this.> > I did the following: > > # rpcclient -U "" -N 192.168.0.2 > rpcclient $> enumdomusers > : > user:[mark] rid:[0x457] > : > rpcclient $> queryuser 0x457 > User Name : mark > Full Name : Mark Foley > (empty lines removed) > Logon Time : Thu, 29 Mar 2018 17:12:54 EDT > Logoff Time : Wed, 31 Dec 1969 19:00:00 EST > Kickoff Time : Wed, 31 Dec 1969 19:00:00 EST > Password last set Time : Wed, 28 Mar 2018 23:59:08 EDT > Password can change Time : Wed, 28 Mar 2018 23:59:08 EDT > Password must change Time: Wed, 27 Jun 2018 00:00:11 EDT> Not sure I see where the expiration is except that Kickoff Time is > set to Dec 31st, 1969 which is likely a zero in that field. Is that > the problem?When the users password expires it must be changed (hint, hint) ;-) Or an even bigger hint, the user needs to change their password before the 27th of June> > Why would passwd and kpasswd not reset that?I have no real idea, but it might have something to do with neither of having anything to do with AD. Rowland
On Sat, 31 Mar 2018 17:04:22 +0100 Rowland Penny <rpenny at samba.org> wrote:> > On Sat, 31 Mar 2018 11:42:07 -0400 > Mark Foley via samba <samba at lists.samba.org> wrote: > > > On Sat, 31 Mar 2018 12:25:14 +0100 Rowland Penny <rpenny at samba.org> > > wrote: > > > > > > This will then prompt the user for their 'oldpassword' and then the > > > new password (twice). There is a gotcha though, as given it will > > > only work on a DC, to do the password change from a Unix domain > > > member, you need to add '--ipaddress=DCIPADDRESS' > > > > I'll try that after I've figured out what the user's expiration > > status is. With respect to this command, would the full syntax be: > > > > samba-tool user password -U <myuser> --ipaddress=192.168.0.2 > > > > I've tried that with no syntax error, but haven't pulled the trigger > > yet to change the password. I've also tried --ipaddress=dchostname > > which also did not give a syntax error. > > Never tried it with the hostname, but I think the option name gives a > big hint ;-) > > > > Are you reading 'msDS-UserPasswordExpiryTimeComputed' with the > > > ldbsearch below ? If so, is the result actually '89' are you using > > > some calculation to get '89' ? I ask this because I would expect the > > > attribute to contain something like '9223372036854775807' > > > > Yes, the same ldbsearch. In fact, that and the calculation were > > given to me by you a couple of years ago. The rest of the > > calculation is: > > > > OK > > > > > > > If you are trying to find out if the users password has expired or > > > is near to, you can use rpcclient for this. > > > > > I did the following: > > > > # rpcclient -U "" -N 192.168.0.2 > > rpcclient $> enumdomusers > > : > > user:[mark] rid:[0x457] > > : > > rpcclient $> queryuser 0x457 > > User Name : mark > > Full Name : Mark Foley > > (empty lines removed) > > Logon Time : Thu, 29 Mar 2018 17:12:54 EDT > > Logoff Time : Wed, 31 Dec 1969 19:00:00 EST > > Kickoff Time : Wed, 31 Dec 1969 19:00:00 EST > > Password last set Time : Wed, 28 Mar 2018 23:59:08 EDT > > Password can change Time : Wed, 28 Mar 2018 23:59:08 EDT > > Password must change Time: Wed, 27 Jun 2018 00:00:11 EDT > > > Not sure I see where the expiration is except that Kickoff Time is > > set to Dec 31st, 1969 which is likely a zero in that field. Is that > > the problem? > > When the users password expires it must be changed (hint, hint) ;-) > Or an even bigger hint, the user needs to change their password before > the 27th of June > > > > > Why would passwd and kpasswd not reset that? > > I have no real idea, but it might have something to do with neither of > having anything to do with AD. >I think you're right that although passwd and kpasswd do change the domain password for the user, "neither of them have anything to do with AD" and hence apparently do not reset the exipriation day. So, I've now tried: samba-tool user password -U $USER --ipaddress=192.168.0.2 and that works and does reset the expiration count so that my rpcclient query returns 90 days. I can also use the AD/DC host name instead of the IP address. I'm using this as a $HOME/.kde/Autostart script to check the password expiration days-to-go with the KDE desktop. If less than 8 days to go, it puts up a GUI dialog inviting the user to change the password. This mimics the functionality of Windows. Without something like this, the user does not know his password is about to expire and he finds himself locked out. If anyone is interested in seeing the whole Autostart script. Send me an email. We'll see in June if this version works! Thanks --Mark
On Tue, 03 Apr 2018 23:34:13 -0400 Mark Foley via samba <samba at lists.samba.org> wrote:> On Sat, 31 Mar 2018 17:04:22 +0100 Rowland Penny <rpenny at samba.org> > wrote: > > > > On Sat, 31 Mar 2018 11:42:07 -0400 > > Mark Foley via samba <samba at lists.samba.org> wrote: > > > > > On Sat, 31 Mar 2018 12:25:14 +0100 Rowland Penny > > > <rpenny at samba.org> wrote: > > > > > > > > This will then prompt the user for their 'oldpassword' and then > > > > the new password (twice). There is a gotcha though, as given it > > > > will only work on a DC, to do the password change from a Unix > > > > domain member, you need to add '--ipaddress=DCIPADDRESS' > > > > > > I'll try that after I've figured out what the user's expiration > > > status is. With respect to this command, would the full syntax be: > > > > > > samba-tool user password -U <myuser> --ipaddress=192.168.0.2 > > > > > > I've tried that with no syntax error, but haven't pulled the > > > trigger yet to change the password. I've also tried > > > --ipaddress=dchostname which also did not give a syntax error. > > > > Never tried it with the hostname, but I think the option name gives > > a big hint ;-) > > > > > > Are you reading 'msDS-UserPasswordExpiryTimeComputed' with the > > > > ldbsearch below ? If so, is the result actually '89' are you > > > > using some calculation to get '89' ? I ask this because I would > > > > expect the attribute to contain something like > > > > '9223372036854775807' > > > > > > Yes, the same ldbsearch. In fact, that and the calculation were > > > given to me by you a couple of years ago. The rest of the > > > calculation is: > > > > > > > OK > > > > > > > > > > If you are trying to find out if the users password has expired > > > > or is near to, you can use rpcclient for this. > > > > > > > > I did the following: > > > > > > # rpcclient -U "" -N 192.168.0.2 > > > rpcclient $> enumdomusers > > > : > > > user:[mark] rid:[0x457] > > > : > > > rpcclient $> queryuser 0x457 > > > User Name : mark > > > Full Name : Mark Foley > > > (empty lines removed) > > > Logon Time : Thu, 29 Mar 2018 17:12:54 > > > EDT Logoff Time : Wed, 31 Dec 1969 19:00:00 EST > > > Kickoff Time : Wed, 31 Dec 1969 19:00:00 > > > EST Password last set Time : Wed, 28 Mar 2018 23:59:08 EDT > > > Password can change Time : Wed, 28 Mar 2018 23:59:08 > > > EDT Password must change Time: Wed, 27 Jun 2018 00:00:11 EDT > > > > > Not sure I see where the expiration is except that Kickoff Time is > > > set to Dec 31st, 1969 which is likely a zero in that field. Is > > > that the problem? > > > > When the users password expires it must be changed (hint, hint) ;-) > > Or an even bigger hint, the user needs to change their password > > before the 27th of June > > > > > > > > Why would passwd and kpasswd not reset that? > > > > I have no real idea, but it might have something to do with neither > > of having anything to do with AD. > > > > I think you're right that although passwd and kpasswd do change the > domain password for the user, "neither of them have anything to do > with AD" and hence apparently do not reset the exipriation day. So, > I've now tried: > > samba-tool user password -U $USER --ipaddress=192.168.0.2The relevant line in my yad script looks like this: ${SAMBA_TOOL} user password ${NEWPASS} ${IPADDRESS} -U ${USERNAME} ${OLDPASS}> > and that works and does reset the expiration count so that my > rpcclient query returns 90 days. I can also use the AD/DC host name > instead of the IP address. > > I'm using this as a $HOME/.kde/Autostart script to check the password > expiration days-to-go with the KDE desktop. If less than 8 days to > go, it puts up a GUI dialog inviting the user to change the password. > This mimics the functionality of Windows. Without something like > this, the user does not know his password is about to expire and he > finds himself locked out.Do you have the checking of the password and the changing in one script ? I use two, one to check when the password expires and another to change it. Rowland
OK, I'm having issues with the problem. To summarize, I'm trying to
have a normal user change
his password from a domain member. I've tried: passwd, kpasswd and
'samba-tool user password
-U $USER --ipaddress=<IPofAD/DC>'. All mechanisms do change the
domain password and I can log
into Windows and Linux domain members, and website requiring domain
authentication.
HOWEVER, after 1 to 3 days the account become locked out. About 2 days ago I
did the
samba-tool method and reported in this thread that it worked. Today I tried to
log into my
Windows workstation and was locked out. The Samba log message was:
[2018/04/05 05:11:38.549997, 2] authentication for user [HPRS/myuser] FAILED
with error
NT_STATUS_ACCOUNT_LOCKED_OUT
ntlm_auth gives:
Unable to Authenticate: NT_STATUS_ACCOUNT_LOCKED_OUT: Account locked out
(0xc0000234)
This all despite the rcpclient saying the expiration is in July.
As the domain administrator I ran 'samba-tool user setpassword myuser'
and reset the password
and was able to log in. I'm going to not mess with this for a couple of days
and see what
happens.
The rpcclient output shows no indication that the user is locked out. The logon
time is shown
at 10:03AM today, but I was unable to log then.
Is there a better tool than rpcclient that will give lockout status?
Does anyone have any idea why this is happening?
rpcclient $> queryuser 0x457
User Name : myuser
Logon Time : Thu, 05 Apr 2018 10:03:45 EDT
Logoff Time : Wed, 31 Dec 1969 19:00:00 EST
Kickoff Time : Wed, 31 Dec 1969 19:00:00 EST
Password last set Time : Thu, 05 Apr 2018 10:25:39 EDT
Password can change Time : Thu, 05 Apr 2018 10:25:39 EDT
Password must change Time: Wed, 04 Jul 2018 10:26:42 EDT
unknown_2[0..31]...
user_rid : 0x457
group_rid: 0x201
acb_info : 0x00000010
fields_present: 0x08ffffff
logon_divs: 168
bad_password_count: 0x00000000
logon_count: 0x00000000
padding1[0..7]...
logon_hrs[0..21]...
--Mark