Jonathon Reinhart
2021-Oct-29 20:01 UTC
[Samba] Password policy for user-managed passwords
On Fri, Oct 29, 2021 at 3:21 PM Philippe LeCavalier via samba <samba at lists.samba.org> wrote:> > On Sun, Jul 18, 2021 at 10:21 AM Rowland Penny via samba < > samba at lists.samba.org> wrote: > > > On Sun, 2021-07-18 at 09:56 -0400, Philippe LeCavalier wrote: > > > > > > > > > > > You can force a user to change their password by resetting it with: > > > > > > > > samba-tool user setpassword User1 --newpassword=passw0rd --must- > > > > change- > > > > at-next-login > > > > This implies I have to set a password that I would provide to them > > > > before they can set a new one if I'm reading that correctly? How > > > > would I apply that domain wide? > > > > I would only do this for individual users or new users. I suppose you > > could write a script to do it, randomly create a password and use that, > > the problem would be in getting the interim password to the user, but > > you never know, someone may have an idea how to this. > > > > > > There are a couple of attributes that need changing, > > > > userAccountControl > > > > and accountExpires > > > > > > > > If 'accountExpires' isn't set, then the password will expire on the > > > > day > > > > shown by the first samba-tool command above. A value of 0 or > > > > 9223372036854775807 indicates that the account never expires. > > > > > > > > You can set the password expiry with: > > > > samba-tool user setexpiry > > > > Yes. This is the setting I typically set to 0. > > > > > > > > Add '--help' to the above command for more info. > > > > > > > > Rowland > > > > I'm still uncertain how I transition smoothly. If I set the > > > > password to expire after 1 day will they be prompted to change it > > > > or will their account be disabled per the wording for that option? > > > > The 'prompting' is down to the display manager, it should prompt the > > user to change their password, it should prompt well before the > > password expires, so I wouldn't use 1 day. > > > > > > If the first users to change their password change it within a few > > > > hours but the others take a week won't the ones that change it be > > > > forced to change every day untill the slowest tell me they've > > > > completed the task and I can change the policy to 60 or 90? > > > > It doesn't work that way, if you set expiry to 1 day, then that is when > > the password will expire, so if the users do not change their passwords > > before the end of the day, then any passwords not changed will expire > > and those users will not be able login. You are correct about the users > > having to change their passwords everyday, that is yet another reason > > to not use 1 day. > > > > > > Also, you mentioned 'userAccountControl' needed changing but you > > > > didn't elaborate. > > > > Sorry, if you use samba-tool to set a users expiry, then that attribute > > is set for you. To understand 'userAccountControl', try reading this: > > > > https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties > > > > Rowland > > > > Working on implementing this and I'm at the stage where I've enabled (but > not forced) self managed password. In other words, I have not set > an expiration but users should be able to change their passwords. With my > admin account and a test user account everything works: I create the user, > login with the temp password, change the password and it works. But when > existing users of the network try, they get an 'access denied'. I looked > around and can't find much other than the possibility that a GPO with min > passwd age might be preventing the change. Before I go unnecessarily > messing with GPOs I thought I'd ask here. I'm wondering if perhaps this > might be a terminal services issue?Maybe not even a GPO, but just a domain password policy. Run this on the domain controller: $ sudo samba-tool domain passwordsettings show and look for "Minimum password age (days)"
Philippe LeCavalier
2021-Oct-29 20:23 UTC
[Samba] Password policy for user-managed passwords
On Fri, Oct 29, 2021, 16:01 Jonathon Reinhart <jonathon.reinhart at gmail.com> wrote:> On Fri, Oct 29, 2021 at 3:21 PM Philippe LeCavalier via samba > <samba at lists.samba.org> wrote: > > > > On Sun, Jul 18, 2021 at 10:21 AM Rowland Penny via samba < > > samba at lists.samba.org> wrote: > > > > > On Sun, 2021-07-18 at 09:56 -0400, Philippe LeCavalier wrote: > > > > > > > > > > > > > > You can force a user to change their password by resetting it with: > > > > > > > > > > samba-tool user setpassword User1 --newpassword=passw0rd --must- > > > > > change- > > > > > at-next-login > > > > > This implies I have to set a password that I would provide to them > > > > > before they can set a new one if I'm reading that correctly? How > > > > > would I apply that domain wide? > > > > > > I would only do this for individual users or new users. I suppose you > > > could write a script to do it, randomly create a password and use that, > > > the problem would be in getting the interim password to the user, but > > > you never know, someone may have an idea how to this. > > > > > > > > There are a couple of attributes that need changing, > > > > > userAccountControl > > > > > and accountExpires > > > > > > > > > > If 'accountExpires' isn't set, then the password will expire on the > > > > > day > > > > > shown by the first samba-tool command above. A value of 0 or > > > > > 9223372036854775807 indicates that the account never expires. > > > > > > > > > > You can set the password expiry with: > > > > > samba-tool user setexpiry > > > > > Yes. This is the setting I typically set to 0. > > > > > > > > > > Add '--help' to the above command for more info. > > > > > > > > > > Rowland > > > > > I'm still uncertain how I transition smoothly. If I set the > > > > > password to expire after 1 day will they be prompted to change it > > > > > or will their account be disabled per the wording for that option? > > > > > > The 'prompting' is down to the display manager, it should prompt the > > > user to change their password, it should prompt well before the > > > password expires, so I wouldn't use 1 day. > > > > > > > > If the first users to change their password change it within a few > > > > > hours but the others take a week won't the ones that change it be > > > > > forced to change every day untill the slowest tell me they've > > > > > completed the task and I can change the policy to 60 or 90? > > > > > > It doesn't work that way, if you set expiry to 1 day, then that is when > > > the password will expire, so if the users do not change their passwords > > > before the end of the day, then any passwords not changed will expire > > > and those users will not be able login. You are correct about the users > > > having to change their passwords everyday, that is yet another reason > > > to not use 1 day. > > > > > > > > Also, you mentioned 'userAccountControl' needed changing but you > > > > > didn't elaborate. > > > > > > Sorry, if you use samba-tool to set a users expiry, then that attribute > > > is set for you. To understand 'userAccountControl', try reading this: > > > > > > > https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties > > > > > > Rowland > > > > > > > Working on implementing this and I'm at the stage where I've enabled (but > > not forced) self managed password. In other words, I have not set > > an expiration but users should be able to change their passwords. With my > > admin account and a test user account everything works: I create the > user, > > login with the temp password, change the password and it works. But when > > existing users of the network try, they get an 'access denied'. I looked > > around and can't find much other than the possibility that a GPO with min > > passwd age might be preventing the change. Before I go unnecessarily > > messing with GPOs I thought I'd ask here. I'm wondering if perhaps this > > might be a terminal services issue? > > > Maybe not even a GPO, but just a domain password policy. > > Run this on the domain controller: > > $ sudo samba-tool domain passwordsettings show > > and look for "Minimum password age (days)" >It's set to O (zero)>
Perhaps your issue is described here:> There are two possible ways to modify the unicodePwd attribute. The > first is similar to a normal user change password operation. In this > case, the modify request must contain both a delete and an add > operation. The delete operation must contain the current password > with quotes around it. The add operation must contain the desired new > password with quotes around it. > > The second way to modify this attribute is analogous to an > administrator resetting a password for a user. In order to do this, > the client must bind as a user with sufficient permissions to modify > another user's password. This modify request should contain a single > replace operation with the new desired password surrounded by quotes. > If the client has sufficient permissions, this password becomes the > new password, regardless of what the old password was.Read more here: https://docs.microsoft.com/en-us/troubleshoot/windows/win32/change-windows-active-directory-user-password MJ