Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[Samba] pdbedit "password must change" not following policy

474 views
Skip to first unread message

Chris Beach

unread,
Jul 1, 2011, 8:10:01 PM7/1/11
to
Hey everyone,

I've got a file server (named success) running Samba version 3.0.10-1.4E.
I've also got another file server (named happiness) running Samba version
3.3.15 and LDAP.

I've got success pointed to happiness for LDAP in the smb.conf, and running
a "pdbedit -v user" works, it shows the proper information...except for the
password must expire, it seemingly ignores the policy that is set on
success, for example:

[root@success]# pdbedit -P "maximum password age"
account policy value for maximum password age is 90

yet..:

[root@success]# pdbedit -v "user"
Password last set: Tue, 31 May 2011 12:54:11 GMT
Password can change: Tue, 07 Dec 2010 09:05:25 GMT
*Password must change: Mon, 07 Mar 2011 09:05:25 GMT*
Last bad password : 0
Bad password count : 0

should the Password must change not be 90 days after the Password last set?
If I do the same command on happiness (the one that runs ldap as well) it
outputs as expected.

I've been stuck at this forever, am I missing something VERY obvious?

Thanks for any help!
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Chris Smith

unread,
Jul 2, 2011, 9:20:02 AM7/2/11
to
On Fri, Jul 1, 2011 at 7:57 PM, Chris Beach <chr...@pintys.com> wrote:
> [root@success]# pdbedit -P "maximum password age"
> account policy value for maximum password age is 90

At one time I used pdbedit to force a password change and that stopped
working. Apparently it was deprecated in favor of "net sam set
pwdmustchangenow". I'm guessing the same thing happened to maximum
password age. Try using "net sam policy set maximum password age"
instead.

Chris

John Drescher

unread,
Jul 2, 2011, 9:30:01 AM7/2/11
to
> At one time I used pdbedit to force a password change and that stopped
> working. Apparently it was deprecated in favor of "net sam set
> pwdmustchangenow". I'm guessing the same thing happened to maximum
> password age. Try using "net sam policy set maximum password age"
> instead.

He is using an ancient version of samba (3.0.10-1.4E) though so the
depreciation probably does not apply.

John

TAKAHASHI Motonobu

unread,
Jul 2, 2011, 10:30:02 AM7/2/11
to
On Fri, Jul 1, 2011 at 7:57 PM, Chris Beach <chr...@pintys.com> wrote:
> > [root@success]# pdbedit -P "maximum password age"
> > account policy value for maximum password age is 90
>
> At one time I used pdbedit to force a password change and that stopped
> working. Apparently it was deprecated in favor of "net sam set
> pwdmustchangenow".

"net sam set pwdmustchangenow" was first introduced at Samba 3.0.25.

From: Chris Beach <chr...@pintys.com>
Date: Fri, 1 Jul 2011 19:57:26 -0400

> I've got a file server (named success) running Samba version
> 3.0.10-1.4E. I've also got another file server (named happiness)
> running Samba version 3.3.15 and LDAP.

> I've got success pointed to happiness for LDAP in the smb.conf, and
> running a "pdbedit -v user" works, it shows the proper
> information...except for the password must expire, it seemingly

> ignores the policy that is set on success, ...


> [root@success]# pdbedit -P "maximum password age"
> account policy value for maximum password age is 90

The account policies in which "maximum password age" is included were
always stored at local account_policy.tdb before Samba 3.0.21. After
Samba 3.0.21, these are stored at LDAP when LDAP is used as passdb.

That's the problem, I think.

---
TAKAHASHI Motonobu <mo...@samba.gr.jp>

Chris Smith

unread,
Jul 2, 2011, 12:00:01 PM7/2/11
to
On Sat, Jul 2, 2011 at 9:27 AM, John Drescher <dresc...@gmail.com> wrote:
> He is using an ancient version of samba (3.0.10-1.4E) though so the
> depreciation probably does not apply.

Thanks. Missed that sorta - wasn't going to dig through the changelog
back to the stone ages.

Chris Beach

unread,
Jul 4, 2011, 7:50:02 AM7/4/11
to
Thank you all for the info, I'm seeing the same thing on my systems (newer
version of samba does have net sam change minimum password age, older one
does not).

So my problem still stands, pdbedit -P "maximum password age" shows 90 days,
as far as that is concerned it's correct, but for whatever reason, it's not
adding that 90 days from the "password last set" date to get the "password
must change" field, so most accounts are locked out, because the "password
must change" date is older then the "password last set" date... there must
be some config or setting on the server somewhere causing this, I just
haven't a clue where (I've looked quite a lot).

Chris Beach

unread,
Jul 4, 2011, 10:20:01 AM7/4/11
to
I completely missed this message some how, thank you, looking at the tdb
file using tdbtool I do see that "maximum password age" appears to be set to
Z where on the newer version of samba, it doesn't appear to be set.

I'm not sure what Z stands for, but is there a way I could go about
correcting this, or is my only option to update samba on the server
(success) so it will corectly report the password policy of the LDAP server
it is using?

Thanks for all the help.

TAKAHASHI Motonobu

unread,
Jul 4, 2011, 2:20:01 PM7/4/11
to
From: Chris Beach <chr...@pintys.com>
Date: Mon, 4 Jul 2011 10:16:27 -0400

> I'm not sure what Z stands for, but is there a way I could go about
> correcting this, or is my only option to update samba on the server
> (success) so it will corectly report the password policy of the LDAP server
> it is using?
>
> Thanks for all the help.

AFAIK, you need to upgrade Samba on success at least to 3.0.21, as I said:
> The account policies in which "maximum password age" is included were
> always stored at local account_policy.tdb before Samba 3.0.21. After
> Samba 3.0.21, these are stored at LDAP when LDAP is used as passdb.

---

0 new messages