Rowland Penny
2022-Jun-11 16:54 UTC
[Samba] Password Expiration setting and manually adjusting the date
On Sat, 2022-06-11 at 12:38 -0400, Philippe LeCavalier via samba wrote:> On Fri, Jun 10, 2022, 03:16 Rowland Penny via samba < > samba at lists.samba.org> > wrote: > > > On Thu, 2022-06-09 at 17:24 -0400, Philippe LeCavalier via samba > > wrote: > > > Just bringing this back to the surface. > > > > > > > I have reread this thread and I think this is normal :-) > > > > Your user gets locked out because their password has expired. > > You unlock the user and set their password expiration to three > > days. > > Your user changes the password but this does not effect the expiry. > > After three days they get locked out again. > > > > Rinse and repeat :-) > > > > You are going about this the wrong way, you need to remind them > > that > > their password will expire before it does. > > > > Rowland > > They are aware it will expire in 30 just as they are aware it will > > expire > > after 3 (when I postpone it). > > So you're confirming that changing a password does not change the > date for > which the password is set to expire? In other words the only > automatic or > systematic change of password is at the 90 day anniversary (it > whatever > password settings show, which in my case is 90). This means when the > user > gets locked and I unlock i also need to set the password to expire in > 90 > not 3.Possibly, I do not know how you are changing the password and setting the three days grace. I would change the password and make the user change it at next logon. If you are changing the password and then setting the expiry to three days hence, then that expiry date is very likely to be honoured. The only way to confirm this would be to examine a users object in AD after you change the password and set the three days grace and check for the contents of the 'maxPwdAge' attribute. There is also a constructed attribute: 'msDS-UserPasswordExpiryTimeComputed' Rowland
Philippe LeCavalier
2022-Jun-11 19:53 UTC
[Samba] Password Expiration setting and manually adjusting the date
On Sat, Jun 11, 2022 at 12:54 PM Rowland Penny via samba < samba at lists.samba.org> wrote:> On Sat, 2022-06-11 at 12:38 -0400, Philippe LeCavalier via samba wrote: > > On Fri, Jun 10, 2022, 03:16 Rowland Penny via samba < > > samba at lists.samba.org> > > wrote: > > > > > On Thu, 2022-06-09 at 17:24 -0400, Philippe LeCavalier via samba > > > wrote: > > > > Just bringing this back to the surface. > > > > > > > > > > I have reread this thread and I think this is normal :-) > > > > > > Your user gets locked out because their password has expired. > > > You unlock the user and set their password expiration to three > > > days. > > > Your user changes the password but this does not effect the expiry. > > > After three days they get locked out again. > > > > > > Rinse and repeat :-) > > > > > > You are going about this the wrong way, you need to remind them > > > that > > > their password will expire before it does. > > > > > > Rowland > > > They are aware it will expire in 30 just as they are aware it will > > > expire > > > after 3 (when I postpone it). > > > > So you're confirming that changing a password does not change the > > date for > > which the password is set to expire? In other words the only > > automatic or > > systematic change of password is at the 90 day anniversary (it > > whatever > > password settings show, which in my case is 90). This means when the > > user > > gets locked and I unlock i also need to set the password to expire in > > 90 > > not 3. > > Possibly, I do not know how you are changing the password and setting > the three days grace. I would change the password and make the user > change it at next logon.Either by RSAT or CLI, whichever is handy at the time. But mostly CLI. # samba-tool user enable techsupport;samba-tool user setexpiry --days=3 User Enabled user 'User' Expiry for user 'User' set to 3 days. If you are changing the password and then> setting the expiry to three days hence, then that expiry date is very > likely to be honoured.Nope. Setting 3 days, unlock (if RSAT) or enable (if CLI) and then telling the user to 'please change your password within the next 3 days to avoid it locking you out on 'date of 3rd day'. So the password change inevitably comes after the 3 days grace. So to me, if the default domain passwordsettings show max age 90 (min 0) shouldn't the system set the next anniversary to 90 as soon as the password is changed?