samba - Jun 2022 - Password Expiration setting and manually adjusting the date

I suggest, increase the debug level, see that happening when users change a
password. 
And tell us which samba version and OS your using, add the content of
smb.conf 

That's pretty important. 

This one might help out. 
sudo samba-tool domain passwordsettings

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba <samba-bounces at lists.samba.org> Namens Philippe
LeCavalier
> via samba
> Verzonden: woensdag 8 juni 2022 03:05
> Aan: samba <samba at lists.samba.org>
> Onderwerp: Re: [Samba] Password Expiration setting and manually adjusting
> the date
> 
> On Tue, Jun 7, 2022 at 10:21 AM Philippe LeCavalier
> <support at plecavalier.com>
> wrote:
> 
> > Hi,
> > Does anyone have experience with having a password expiration (say 60
> > days) and manually adjusting a user's expiration date?
> >
> > I've got several domains all of which have a 90 day expiration in
ad-dc.
> > Frequently, users forget to change it and get locked out. I find that
> > when I postpone the expiration by adjusting the date (either in RSAT
> > or CLI - whichever is most handy at the time) when the user changes
> > the password the expiration doesn't change from the one I set. So
if I
> > give the user 3 days to change it and they change it the next day, the
> > user still gets locked out on the third day yet I would expect it to
> > not expire until the 90th day from the day it was changed.
> >
> > Is this normal behaviour and if it is, what is the expected method for
> > dealing with a user with an expired account? If it isn't, what do
I
> > need to look at to rectify this?
> > Thanks, Phil
> >
> Anyone experienced this?
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

On Wed, Jun 8, 2022 at 4:36 AM L. van Belle via samba <samba at
lists.samba.org>
wrote:
> I suggest, increase the debug level, see that happening when users change a
> password.
> And tell us which samba version and OS your using, add the content of
> smb.conf
>
> That's pretty important.
I was asking if it is expected behaviour. I suppose I could interpret you
asking for this information as confirmation that it is not expected...
>
>
> This one might help out.
> sudo samba-tool domain passwordsettings
>
 plecavalier# samba-tool domain passwordsettings show
Password information for domain 'DC=intranet,DC=domain,DC=ca'
Password complexity: on
Store plaintext passwords: off
Password history length: 24
Minimum password length: 6
Minimum password age (days): 0
Maximum password age (days): 0
Account lockout duration (mins): 30
Account lockout threshold (attempts): 0
Reset account lockout after (mins): 15

plecavalier# uname -ar
Linux piwc11 5.10.0-13-amd64 #1 SMP Debian 5.10.106-1 (2022-03-17) x86_64
GNU/Linux

plecavalier# dpkg -l | grep samba
ii  python3-samba                  2:4.13.13+dfsg-1~deb11u3       amd64
   Python 3 bindings for Samba
ii  samba                          2:4.13.13+dfsg-1~deb11u3       amd64
   SMB/CIFS file, print, and login server for Unix
ii  samba-common                   2:4.13.13+dfsg-1~deb11u3       all
   common files used by both the Samba server and client
ii  samba-common-bin               2:4.13.13+dfsg-1~deb11u3       amd64
   Samba common files used by both the server and the client
ii  samba-dsdb-modules:amd64       2:4.13.13+dfsg-1~deb11u3       amd64
   Samba Directory Services Database
ii  samba-libs:amd64               2:4.13.13+dfsg-1~deb11u3       amd64
   Samba core libraries
ii  samba-vfs-modules:amd64        2:4.13.13+dfsg-1~deb11u3       amd64
   Samba Virtual FileSystem plugins
plecavalier# dpkg -l | grep winbind
ii  libnss-winbind:amd64           2:4.13.13+dfsg-1~deb11u3       amd64
   Samba nameservice integration plugins
ii  libpam-winbind:amd64           2:4.13.13+dfsg-1~deb11u3       amd64
   Windows domain authentication integration plugin
ii  libwbclient0:amd64             2:4.13.13+dfsg-1~deb11u3       amd64
   Samba winbind client library
ii  winbind                        2:4.13.13+dfsg-1~deb11u3       amd64
   service to resolve user and group information from Windows NT servers

plecavalier# cat /etc/samba/smb.conf
# Global parameters
[global]
workgroup = INTRANET
realm = INTRANET.DOMAIN.CA
netbios name = DC11
server role = active directory domain controller
dns forwarder = 8.8.8.8
idmap_ldb:use rfc2307 = yes
bind interfaces only = yes

[netlogon]
path = /var/lib/samba/sysvol/intranet.domain.ca/scripts
read only = No

[sysvol]
path = /var/lib/samba/sysvol
read only = No

[profiles]
path = /data/profiles
read only = no
>
> Greetz,
>
> Louis
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba <samba-bounces at lists.samba.org> Namens Philippe
LeCavalier
> > via samba
> > Verzonden: woensdag 8 juni 2022 03:05
> > Aan: samba <samba at lists.samba.org>
> > Onderwerp: Re: [Samba] Password Expiration setting and manually
adjusting
> > the date
> >
> > On Tue, Jun 7, 2022 at 10:21 AM Philippe LeCavalier
> > <support at plecavalier.com>
> > wrote:
> >
> > > Hi,
> > > Does anyone have experience with having a password expiration
(say 60
> > > days) and manually adjusting a user's expiration date?
> > >
> > > I've got several domains all of which have a 90 day
expiration in
> ad-dc.
> > > Frequently, users forget to change it and get locked out. I find
that
> > > when I postpone the expiration by adjusting the date (either in
RSAT
> > > or CLI - whichever is most handy at the time) when the user
changes
> > > the password the expiration doesn't change from the one I
set. So if I
> > > give the user 3 days to change it and they change it the next
day, the
> > > user still gets locked out on the third day yet I would expect it
to
> > > not expire until the 90th day from the day it was changed.
> > >
> > > Is this normal behaviour and if it is, what is the expected
method for
> > > dealing with a user with an expired account? If it isn't,
what do I
> > > need to look at to rectify this?
> > > Thanks, Phil
> > >
> > Anyone experienced this?
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>