Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[Samba] help - user password expiration in loop

380 views
Skip to first unread message

Fabio Pardi

unread,
Jun 16, 2011, 9:50:02 AM6/16/11
to
Hi everybody,

I think i need a samba guru to solve this issue, because googling for
months did not help and the problem is becoming pressing.
I'm facing an annoying problem with samba. In detail, there is something
wrong with the password handling. It happens from windows, mac or linux
clients.
Randomly (probably after $num days), the system asks to the user to
change the password. After the user did it, the system keeps asking the
same, in a sort of loop.
The only option to change it is to manually go on the console and issue
the command "smbldap-passwd username".

My system:

ubuntu lucid 32 bit

smb.conf

----cut---
[global]
idmap uid = 1000-15000
idmap gid = 1000-15000


workgroup = PORTAVITA

netbios name = PSAMBA

domain logons = Yes
domain master = Yes
wins support = true
obey pam restrictions = Yes
dns proxy = No

log level = 2
os level = 35
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
pam password change = Yes
# Allows users on WinXP PCs to change their password when they
press Ctrl-Alt-Del
unix password sync = no
ldap passwd sync = yes

passdb backend = ldapsam:ldap://localhost

ldap suffix = dc=pdc

ldap admin dn = cn=admin,dc=pdc

ldap machine suffix = ou=Computers
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap

ldap ssl = no

add user script = /usr/sbin/smbldap-useradd -m '%u'
delete user script = /usr/sbin/smbldap-userdel %u


#those scripts are modified so we can create groups also on the system
add group script = /usr/sbin/addgroupldap-system '%g'
delete group script = /usr/sbin/delgroupldap-system '%g'
add user to group script
= /usr/sbin/add-user-to-group-ldap-system '%u' '%g'
add user to group script = /usr/sbin/add-user-to-group-ldap-system '%u'
'%g'
delete user from group script
= /usr/sbin/del-user-to-group-ldap-system -x '%u' '%g'

set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%
u'
add machine script = /usr/sbin/smbldap-useradd -w '%u'
logon drive =
logon home =
logon path =
logon script = users/login.bat
server signing = auto
server schannel = Auto
nt acl support = yes
[homes]
comment = Home Directories
valid users = %S
read only = No
browseable = No

[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
admin users = root
guest ok = Yes
browseable = No
logon script = login.bat

[Software]
comment = Software Folder
path = /share/software
create mask = 0777
directory mask = 0777
read only = no
writable = yes
browsable = yes
invalid users =guest123

[progr]
comment = Prog Folder
path = /share/prog
create mask = 0777
directory mask = 0777
read only = no
writable = yes
browsable = yes
invalid users =guest123

----cut----

samba version from package is 3.4.7
ldapadd -V
ldapadd: @(#) $OpenLDAP: ldapmodify 2.4.21 (Aug 10 2010 17:07:36) $
buildd@rothera:/build/buildd/openldap-2.4.21/debian/build/clients/tools
(LDAP library: OpenLDAP 20421)
SASL/DIGEST-MD5 authentication started

Any help or suggestion is strongly appreciated.

Regards,

Fabio


--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Christ Schlacta

unread,
Jun 16, 2011, 10:00:01 AM6/16/11
to
use pdbedit or your web-based ldap manager to update the account flags
to [UX]. document the previous value before changing the flags. Use
smbldap tools to update the expire time. if none of this fixes it, post
an ldif if an affected user account, as well as all the info from
smbldap-tools about said user.

Fabio Pardi

unread,
Jun 17, 2011, 10:40:01 AM6/17/11
to
Thanks a lot Christ,

a managed using pdbedit. In facts, many accounts were carrying only the
[U], no X (but i clearly remember I changed every user's setting with
"password never expires" from the srvtool graphical tool :s )

Now the only thing i have to do is waiting....

Thanks a lot for your time, hoping this will permanently do the job.

Best Regards

Fabio

Fabio Pardi

unread,
Jun 24, 2011, 11:00:01 AM6/24/11
to
Dears,

Unfortunately it happened again.
Now i see the user has the flags UX, but the system keeps asking for a
password change in loop.

details about pdbedit -L -v

---------------
Unix username: myuser
NT username: myuser
Account Flags: [UX ]
User SID: S-1-5-21-222803232-3192872370-2452721687-1015
Primary Group SID: S-1-5-21-222803232-3192872370-2452721687-513
Full Name: hers name
Home Directory:
HomeDir Drive:
Logon Script: users/login.bat
Profile Path:
Domain: mydomain
Account desc: Software Developer
Workstations:
Munged dial:
Logon time: 0
Logoff time: never
Kickoff time: 0
Password last set: Fri, 24 Jun 2011 16:48:34 CEST
Password can change: Fri, 24 Jun 2011 16:48:34 CEST
Password must change: never
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
-------------------------

Fabio Pardi

unread,
Jul 4, 2011, 11:40:02 AM7/4/11
to
nobody to help?

Dermot

unread,
Jul 4, 2011, 4:30:01 PM7/4/11
to
On 4 July 2011 16:37, Fabio Pardi <f.p...@portavita.eu> wrote:

> nobody to help?

I just throwing out ideas here. What is the output from pdbedit -P for
all these policies: minimum password age, reset count minutes,
disconnect time, user must logon to change password, password history,
lockout duration, min password length, maximum password age and bad
lockout attempt.

Perhaps there are clues there.
Dp.

Fabio Pardi

unread,
Jul 6, 2011, 9:50:03 AM7/6/11
to
Hi Dermot,

thanks for your reply.
here below you have the output, nothing strange to my eyes, but
maybe(hopefully) you know more:

pdbedit -P "bad lockout attempt"
smbldap_search_domain_info: Searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=XXXXXXXXXXXXXXX))]
smbldap_open_connection: connection opened
account policy "bad lockout attempt" description: Lockout users after
bad logon attempts (default: 0 => off)
account policy "bad lockout attempt" value is: 0

---
pdbedit -P "maximum password age"
smbldap_search_domain_info: Searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=XXXXXXXXXXXXXXX))]
smbldap_open_connection: connection opened
account policy "maximum password age" description: Maximum password age,
in seconds (default: -1 => never expire passwords)
account policy "maximum password age" value is: 4294967295

---
pdbedit -P "min password length"
smbldap_search_domain_info: Searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=XXXXXXXXXXXXXXX))]
smbldap_open_connection: connection opened
account policy "min password length" description: Minimal password
length (default: 5)
account policy "min password length" value is: 5

---
pdbedit -P "lockout duration"
smbldap_search_domain_info: Searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=XXXXXXXXXXXXXXX))]
smbldap_open_connection: connection opened
account policy "lockout duration" description: Lockout duration in
minutes (default: 30, -1 => forever)
account policy "lockout duration" value is: 30

---
pdbedit -P "password history"
smbldap_search_domain_info: Searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=XXXXXXXXXXXXXXX))]
smbldap_open_connection: connection opened
account policy "password history" description: Length of Password
History Entries (default: 0 => off)
account policy "password history" value is: 0

----
pdbedit -P "user must logon to change password"
smbldap_search_domain_info: Searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=XXXXXXXXXXXXXXX))]
smbldap_open_connection: connection opened
account policy "user must logon to change password" description: Force
Users to logon for password change (default: 0 => off, 2 => on)
account policy "user must logon to change password" value is: 0

-----
pdbedit -P "disconnect time"
smbldap_search_domain_info: Searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=XXXXXXXXXXXXXXX))]
smbldap_open_connection: connection opened
account policy "disconnect time" description: Disconnect Users outside
logon hours (default: -1 => off, 0 => on)
account policy "disconnect time" value is: 4294967295

---
pdbedit -P "bad lockout attempt"
smbldap_search_domain_info: Searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=XXXXXXXXXXXXXXX))]
smbldap_open_connection: connection opened
account policy "bad lockout attempt" description: Lockout users after
bad logon attempts (default: 0 => off)
account policy "bad lockout attempt" value is: 0
------
pdbedit -P "minimum password age"
smbldap_search_domain_info: Searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=XXXXXXXXXXXXXXX))]
smbldap_open_connection: connection opened
account policy "minimum password age" description: Minimal password age,
in seconds (default: 0 => allow immediate password change)
account policy "minimum password age" value is: 0
---
pdbedit -P "reset count minutes"
smbldap_search_domain_info: Searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=XXXXXXXXXXXXXXX))]
smbldap_open_connection: connection opened
account policy "reset count minutes" description: Reset time after
lockout in minutes (default: 30)
account policy "reset count minutes" value is: 30
---


then i tried:

word age" value is: 4294967295
15:38 root@pdc-portavita:~# pdbedit -P "maximum password age" -C -1
smbldap_search_domain_info: Searching
for:[(&(objectClass=sambaDomain)(XXXXXXXXXXXXXXXX))]
smbldap_open_connection: connection opened
account policy "maximum password age" description: Maximum password age,
in seconds (default: -1 => never expire passwords)
account policy "maximum password age" value was: 4294967295
account policy "maximum password age" value is now: 4294967295
(4294967295 seconds that means 131 years and some days)
------

0 new messages