Matthew Delfino
2019-Mar-29 20:45 UTC
[Samba] Attempts to Set Max Password Age in Samba Tool Fails
Hello! I am on Samba 4.10.0, Ubuntu 16.04.2 LTS. I recently reset a password and found that my password expiration had somehow gotten set to 400 days. I went to one of my DCs and ran the following command: # samba-tool domain passwordsettings show Password informations for domain 'DC=samdom,DC=mydomain,DC=com' Password complexity: on Store plaintext passwords: off Password history length: 5 Minimum password length: 14 Minimum password age (days): 0 Maximum password age (days): 400 Account lockout duration (mins): 60 Account lockout threshold (attempts): 30 Reset account lockout after (mins): 60 That needed to change so, I tried to enforce my company's policy: # samba-tool domain passwordsettings set --max-pwd-age=270 ERROR(<class 'TypeError'>): uncaught exception - unorderable types: NoneType() >= int() File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 184, in _run return self.run(*args, **kwargs) File "/usr/lib/python3/dist-packages/samba/netcmd/domain.py", line 1513, in run if max_pwd_age and max_pwd_age > 0 and min_pwd_age >= max_pwd_age: I tried several numbers for max-pwd-age, they all sent the same error. I tried setting the min-pwd-age to 0 again, even though it was already 0. That command was successful, but it didn't help at all. Am I doing something wrong? Any advice? Thanks, Matthew © 2019 KNOCK, inc. All rights reserved. KNOCK is a registered trademark of KNOCK, inc. This message and any attachments contain information, which is confidential and/or privileged. If you are not the intended recipient, please refrain from any disclosure, copying, distribution or use of this information. Please be aware that such actions are prohibited. If you have received this transmission in error, kindly notify the sender by e-mail. Your cooperation is appreciated.
Rowland Penny
2019-Mar-29 21:33 UTC
[Samba] Attempts to Set Max Password Age in Samba Tool Fails
On Fri, 29 Mar 2019 15:45:57 -0500 Matthew Delfino via samba <samba at lists.samba.org> wrote:> Hello! > > > I am on Samba 4.10.0, Ubuntu 16.04.2 LTS. I recently reset a password > and found that my password expiration had somehow gotten set to 400 > days.Where did you get the Samba 4.10.0 packages from ?> > I went to one of my DCs and ran the following command: > > > > # samba-tool domain passwordsettings show > Password informations for domain 'DC=samdom,DC=mydomain,DC=com' > > > Password complexity: on > Store plaintext passwords: off > Password history length: 5 > Minimum password length: 14 > Minimum password age (days): 0 > Maximum password age (days): 400 > Account lockout duration (mins): 60 > Account lockout threshold (attempts): 30 > Reset account lockout after (mins): 60 > > > That needed to change so, I tried to enforce my company's policy: > > > > # samba-tool domain passwordsettings set --max-pwd-age=270 > ERROR(<class 'TypeError'>): uncaught exception - unorderable types: > NoneType() >= int() File > "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 184, > in _run return self.run(*args, **kwargs) File > "/usr/lib/python3/dist-packages/samba/netcmd/domain.py", line 1513, > in run if max_pwd_age and max_pwd_age > 0 and min_pwd_age >> max_pwd_age:What Python 3 packages are installed ? Rowland
Rowland Penny
2019-Mar-29 22:35 UTC
[Samba] Attempts to Set Max Password Age in Samba Tool Fails
On Fri, 29 Mar 2019 16:46:13 -0500 Matthew Delfino <mdelfino.list.samba at knockinc.com> wrote:> Hey Rowland, thank you for getting back to me so quickly. Answers in > line below... > > From: Rowland Penny via samba <samba at lists.samba.org> > > To: <samba at lists.samba.org> > Sent: 3/29/2019 4:33 PM > Subject: Re: [Samba] Attempts to Set Max Password Age in Samba > Tool Fails > > On Fri, 29 Mar 2019 15:45:57 -0500 > Matthew Delfino via samba <samba at lists.samba.org> wrote: > > > Hello! > > > > > > I am on Samba 4.10.0, Ubuntu 16.04.2 LTS. I recently reset a > > password and found that my password expiration had somehow gotten > > set to 400 days. > > Where did you get the Samba 4.10.0 packages from ? > > I compiled the source code on samba.org, used 'make install' to put > them in place.Hmm, I suppose you 'configured' Samba to put Samba into the normal places Ubuntu usually finds it e.g. /var/lib/samba What was your configure line ? Is any of the standard Ubuntu Samba packages installed ?> > > > > I went to one of my DCs and ran the following command: > > > > > > > > # samba-tool domain passwordsettings show > > Password informations for domain 'DC=samdom,DC=mydomain,DC=com' > > > > > > Password complexity: on > > Store plaintext passwords: off > > Password history length: 5 > > Minimum password length: 14 > > Minimum password age (days): 0 > > Maximum password age (days): 400 > > Account lockout duration (mins): 60 > > Account lockout threshold (attempts): 30 > > Reset account lockout after (mins): 60 > > > > > > That needed to change so, I tried to enforce my company's policy: > > > > > > > > # samba-tool domain passwordsettings set --max-pwd-age=270 > > ERROR(<class 'TypeError'>): uncaught exception - unorderable types: > > NoneType() >= int() File > > "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line > > 184, in _run return self.run(*args, **kwargs) File > > "/usr/lib/python3/dist-packages/samba/netcmd/domain.py", line 1513, > > in run if max_pwd_age and max_pwd_age > 0 and min_pwd_age >= > > max_pwd_age: > > What Python 3 packages are installed ? > > > > # dpkg --list | grep python3 | awk '{ print $1 "\t" $2 "\t" $3 }' > ii libpython3-dev:amd64 3.5.1-3 > ii libpython3-stdlib:amd64 3.5.1-3 > ii libpython3.5:amd64 3.5.2-2ubuntu0~16.04.5 > ii libpython3.5-dev:amd64 3.5.2-2ubuntu0~16.04.5 > ii libpython3.5-minimal:amd64 3.5.2-2ubuntu0~16.04.5 > ii libpython3.5-stdlib:amd64 3.5.2-2ubuntu0~16.04.5 > ii python3 3.5.1-3 > ii python3-apport 2.20.1-0ubuntu2.18 > ii python3-apt 1.1.0~beta1ubuntu0.16.04.2 > ii python3-chardet 2.3.0-2 > ii python3-commandnotfound 0.3ubuntu16.04.2 > ii python3-dbus 1.2.0-3 > ii python3-debian 0.1.27ubuntu2 > ii python3-dev 3.5.1-3 > ii python3-distupgrade 1:16.04.26 > ii python3-dnspython 1.12.0-0ubuntu3 > ii python3-gdbm:amd64 3.5.1-1 > ii python3-gi 3.20.0-0ubuntu1 > ii python3-gpgme 0.3-1.1 > ii python3-markdown 2.6.6-1 > ii python3-minimal 3.5.1-3 > ii python3-newt 0.52.18-1ubuntu2 > ii python3-pip 8.1.1-2ubuntu0.4 > ii python3-pkg-resources 20.7.0-1 > ii python3-problem-report 2.20.1-0ubuntu2.18 > ii python3-pycurl 7.43.0-1ubuntu1 > ii python3-pygments 2.1+dfsg-1 > ii python3-requests 2.9.1-3ubuntu0.1 > ii python3-setuptools 20.7.0-1 > ii python3-six 1.10.0-3 > ii python3-software-properties 0.96.20.8 > ii python3-systemd 231-2build1 > ii python3-update-manager 1:16.04.15 > ii python3-urllib3 1.13.1-2ubuntu0.16.04.2 > ii python3-wheel 0.29.0-1 > ii python3-yaml 3.11-3build1 > ii python3.5 3.5.2-2ubuntu0~16.04.5 > ii python3.5-dev 3.5.2-2ubuntu0~16.04.5 > ii python3.5-minimal 3.5.2-2ubuntu0~16.04.5I haven't built 4.10 (yet), but at least one thing jumps out, to build with python2, you need python2-crypto, so I suppose that you will need python3-crypto when building with python3 Rowland
Matthew Delfino
2019-Mar-30 16:07 UTC
[Samba] Attempts to Set Max Password Age in Samba Tool Fails
From: Rowland Penny via samba <samba at lists.samba.org> To: "samba at lists.samba.org" <samba at lists.samba.org> Sent: 3/29/2019 5:35 PM Subject: Re: [Samba] Attempts to Set Max Password Age in Samba Tool Fails On Fri, 29 Mar 2019 16:46:13 -0500 Matthew Delfino <mdelfino.list.samba at knockinc.com> wrote:> Hey Rowland, thank you for getting back to me so quickly. Answers in > line below... > > From: Rowland Penny via samba <samba at lists.samba.org> > > To: <samba at lists.samba.org> > Sent: 3/29/2019 4:33 PM > Subject: Re: [Samba] Attempts to Set Max Password Age in Samba > Tool Fails > > On Fri, 29 Mar 2019 15:45:57 -0500 > Matthew Delfino via samba <samba at lists.samba.org> wrote: > > > Hello! > > > > > > I am on Samba 4.10.0, Ubuntu 16.04.2 LTS. I recently reset a > > password and found that my password expiration had somehow gotten > > set to 400 days. > > Where did you get the Samba 4.10.0 packages from ? > > I compiled the source code on samba.org, used 'make install' to put > them in place.Hmm, I suppose you 'configured' Samba to put Samba into the normal places Ubuntu usually finds it e.g. /var/lib/samba Right you are. What was your configure line ? Assuming too much info is better than not enough, and hoping the context might help, here's my *upgrade* process: # cd /usr/local/src # wget https://download.samba.org/pub/samba/stable/samba-4.10.0.tar.gz (or whatever new version is posted) # tar -zxf samba-4.10.0.tar.gz # rm samba-4.10.0.tar.gz # ./configure --enable-fhs --prefix=/usr --sysconfdir=/etc --localstatedir=/var --mandir=/usr/share/man/ --enable-debug # make # sudo service samba-ad-dc stop # sudo make install # sudo shutdown -r now This process has never failed me... Perhaps... until now? Is any of the standard Ubuntu Samba packages installed ? No. Each of my DCs was built from the ground up for Samba to be installed via source code (and it was always installed with the aforementioned "configure" line). My domain's Samba AD DCs were on Samba 4.8.9 until last week, when I installed Samba 4.10.0 over them, using the commands above. The oldest version installed was some point release of 4.7. When upgrading to 4.10.0, verbiage about moving to Python 3 in the READ ME lead me to take the extra step of installing the packages outlined on the samba wiki page entitled, "Package_Dependencies_Required_to_Build_Samba," section, "Debian / Ubuntu." Apropos to the comment you left below, note that this page does not recommend the "python3-crypto" package. That's not me telling you that you're wrong because wiki page - I'm not that kind of dude. I'm just calling out that, if you're right, someone with Samba wiki editing powers would be a really cool if s/he'd add it to the list. ;-)> > > > I went to one of my DCs and ran the following command: > > > > > > > > # samba-tool domain passwordsettings show > > Password informations for domain 'DC=samdom,DC=mydomain,DC=com' > > > > > > Password complexity: on > > Store plaintext passwords: off > > Password history length: 5 > > Minimum password length: 14 > > Minimum password age (days): 0 > > Maximum password age (days): 400 > > Account lockout duration (mins): 60 > > Account lockout threshold (attempts): 30 > > Reset account lockout after (mins): 60 > > > > > > That needed to change so, I tried to enforce my company's policy: > > > > > > > > # samba-tool domain passwordsettings set --max-pwd-age=270 > > ERROR(<class 'TypeError'>): uncaught exception - unorderable types: > > NoneType() >= int() File > > "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line > > 184, in _run return self.run(*args, **kwargs) File > > "/usr/lib/python3/dist-packages/samba/netcmd/domain.py", line 1513, > > in run if max_pwd_age and max_pwd_age > 0 and min_pwd_age >= > > max_pwd_age: > > What Python 3 packages are installed ? > > > > # dpkg --list | grep python3 | awk '{ print $1 "\t" $2 "\t" $3 }' > ii libpython3-dev:amd64 3.5.1-3 > ii libpython3-stdlib:amd64 3.5.1-3 > ii libpython3.5:amd64 3.5.2-2ubuntu0~16.04.5 > ii libpython3.5-dev:amd64 3.5.2-2ubuntu0~16.04.5 > ii libpython3.5-minimal:amd64 3.5.2-2ubuntu0~16.04.5 > ii libpython3.5-stdlib:amd64 3.5.2-2ubuntu0~16.04.5 > ii python3 3.5.1-3 > ii python3-apport 2.20.1-0ubuntu2.18 > ii python3-apt 1.1.0~beta1ubuntu0.16.04.2 > ii python3-chardet 2.3.0-2 > ii python3-commandnotfound 0.3ubuntu16.04.2 > ii python3-dbus 1.2.0-3 > ii python3-debian 0.1.27ubuntu2 > ii python3-dev 3.5.1-3 > ii python3-distupgrade 1:16.04.26 > ii python3-dnspython 1.12.0-0ubuntu3 > ii python3-gdbm:amd64 3.5.1-1 > ii python3-gi 3.20.0-0ubuntu1 > ii python3-gpgme 0.3-1.1 > ii python3-markdown 2.6.6-1 > ii python3-minimal 3.5.1-3 > ii python3-newt 0.52.18-1ubuntu2 > ii python3-pip 8.1.1-2ubuntu0.4 > ii python3-pkg-resources 20.7.0-1 > ii python3-problem-report 2.20.1-0ubuntu2.18 > ii python3-pycurl 7.43.0-1ubuntu1 > ii python3-pygments 2.1+dfsg-1 > ii python3-requests 2.9.1-3ubuntu0.1 > ii python3-setuptools 20.7.0-1 > ii python3-six 1.10.0-3 > ii python3-software-properties 0.96.20.8 > ii python3-systemd 231-2build1 > ii python3-update-manager 1:16.04.15 > ii python3-urllib3 1.13.1-2ubuntu0.16.04.2 > ii python3-wheel 0.29.0-1 > ii python3-yaml 3.11-3build1 > ii python3.5 3.5.2-2ubuntu0~16.04.5 > ii python3.5-dev 3.5.2-2ubuntu0~16.04.5 > ii python3.5-minimal 3.5.2-2ubuntu0~16.04.5I haven't built 4.10 (yet), but at least one thing jumps out, to build with python2, you need python2-crypto, so I suppose that you will need python3-crypto when building with python3 Okay. I just got that "python3-crypto" package on my DCs. I'm going to start the long process of recompiling and reinstalling now to see if that helps. I'm going to send this email before doing so in case you're inclined to reply on the weekend with any insights from this message. I hope you're having a nice weekend. Matthew © 2019 KNOCK, inc. All rights reserved. KNOCK is a registered trademark of KNOCK, inc. This message and any attachments contain information, which is confidential and/or privileged. If you are not the intended recipient, please refrain from any disclosure, copying, distribution or use of this information. Please be aware that such actions are prohibited. If you have received this transmission in error, kindly notify the sender by e-mail. Your cooperation is appreciated.