Philippe LeCavalier
2022-Jun-11 19:53 UTC
[Samba] Password Expiration setting and manually adjusting the date
On Sat, Jun 11, 2022 at 12:54 PM Rowland Penny via samba < samba at lists.samba.org> wrote:> On Sat, 2022-06-11 at 12:38 -0400, Philippe LeCavalier via samba wrote: > > On Fri, Jun 10, 2022, 03:16 Rowland Penny via samba < > > samba at lists.samba.org> > > wrote: > > > > > On Thu, 2022-06-09 at 17:24 -0400, Philippe LeCavalier via samba > > > wrote: > > > > Just bringing this back to the surface. > > > > > > > > > > I have reread this thread and I think this is normal :-) > > > > > > Your user gets locked out because their password has expired. > > > You unlock the user and set their password expiration to three > > > days. > > > Your user changes the password but this does not effect the expiry. > > > After three days they get locked out again. > > > > > > Rinse and repeat :-) > > > > > > You are going about this the wrong way, you need to remind them > > > that > > > their password will expire before it does. > > > > > > Rowland > > > They are aware it will expire in 30 just as they are aware it will > > > expire > > > after 3 (when I postpone it). > > > > So you're confirming that changing a password does not change the > > date for > > which the password is set to expire? In other words the only > > automatic or > > systematic change of password is at the 90 day anniversary (it > > whatever > > password settings show, which in my case is 90). This means when the > > user > > gets locked and I unlock i also need to set the password to expire in > > 90 > > not 3. > > Possibly, I do not know how you are changing the password and setting > the three days grace. I would change the password and make the user > change it at next logon.Either by RSAT or CLI, whichever is handy at the time. But mostly CLI. # samba-tool user enable techsupport;samba-tool user setexpiry --days=3 User Enabled user 'User' Expiry for user 'User' set to 3 days. If you are changing the password and then> setting the expiry to three days hence, then that expiry date is very > likely to be honoured.Nope. Setting 3 days, unlock (if RSAT) or enable (if CLI) and then telling the user to 'please change your password within the next 3 days to avoid it locking you out on 'date of 3rd day'. So the password change inevitably comes after the 3 days grace. So to me, if the default domain passwordsettings show max age 90 (min 0) shouldn't the system set the next anniversary to 90 as soon as the password is changed?
Rowland Penny
2022-Jun-11 20:21 UTC
[Samba] Password Expiration setting and manually adjusting the date
On Sat, 2022-06-11 at 15:53 -0400, Philippe LeCavalier via samba wrote:> On Sat, Jun 11, 2022 at 12:54 PM Rowland Penny via samba < > samba at lists.samba.org> wrote: > > > On Sat, 2022-06-11 at 12:38 -0400, Philippe LeCavalier via samba > > wrote: > > > On Fri, Jun 10, 2022, 03:16 Rowland Penny via samba < > > > samba at lists.samba.org> > > > wrote: > > > > > > > On Thu, 2022-06-09 at 17:24 -0400, Philippe LeCavalier via > > > > samba > > > > wrote: > > > > > Just bringing this back to the surface. > > > > > > > > > > > > > I have reread this thread and I think this is normal :-) > > > > > > > > Your user gets locked out because their password has expired. > > > > You unlock the user and set their password expiration to three > > > > days. > > > > Your user changes the password but this does not effect the > > > > expiry. > > > > After three days they get locked out again. > > > > > > > > Rinse and repeat :-) > > > > > > > > You are going about this the wrong way, you need to remind them > > > > that > > > > their password will expire before it does. > > > > > > > > Rowland > > > > They are aware it will expire in 30 just as they are aware it > > > > will > > > > expire > > > > after 3 (when I postpone it). > > > > > > So you're confirming that changing a password does not change the > > > date for > > > which the password is set to expire? In other words the only > > > automatic or > > > systematic change of password is at the 90 day anniversary (it > > > whatever > > > password settings show, which in my case is 90). This means when > > > the > > > user > > > gets locked and I unlock i also need to set the password to > > > expire in > > > 90 > > > not 3. > > > > Possibly, I do not know how you are changing the password and > > setting > > the three days grace. I would change the password and make the user > > change it at next logon. > > Either by RSAT or CLI, whichever is handy at the time. But mostly > CLI. > # samba-tool user enable techsupport;samba-tool user setexpiry -- > days=3 User > Enabled user 'User' > Expiry for user 'User' set to 3 days. > > If you are changing the password and then > > setting the expiry to three days hence, then that expiry date is > > very > > likely to be honoured. > > Nope. Setting 3 days, unlock (if RSAT) or enable (if CLI) and then > telling > the user to 'please change your password within the next 3 days to > avoid it > locking you out on 'date of 3rd day'. So the password change > inevitably > comes after the 3 days grace. So to me, if the default domain > passwordsettings show max age 90 (min 0) shouldn't the system set the > next > anniversary to 90 as soon as the password is changed?You would think so, but it seems not from your experience. I haven't looked at the 'samba-tool user setexpiry' code recently, but I would image that it is setting the expiry to 'now + 3 days' and this is probably overriding the default settings. As I said, I would re-enable the user, change the users password and set it so the user must change their password at next logon. I would also (if you are not already doing this) check the users passwords regularly and send users a message that their password will expire in 'x' days and they will be locked out at that time if they do not change it. Rowland