We have a Zentyal (Formerly EBox) Linux Small Business Server running as our office file/print server. Its runs smoothly hardly needs any maintenance. Except for this one issue, every few weeks I hear complains from staff that they can't logon to file server.
Quick peek at the Samba server logs reveals that 'password expired'. So there is password aging setting in force here.
[2010/12/05 17:33:45, 1] auth/auth_sam.c:sam_account_ok(179) sam_account_ok: Account for user 'tom' password expired!.
[2010/12/05 17:33:45, 1] auth/auth_sam.c:sam_account_ok(180) sam_account_ok: Password expired at 'Sat, 04 Dec 2010 15:20:57 SST' (1291515657) unix time.
Lets remedy that using Samba pdbedit tool. We are gonna reset the 'Password must change' policy to all the users on the server.
Zentyal uses LDAP to manage the passwords, so we use '-b' option to point to the LDAP backend. And we change the default policy to passwords never expire.
pdbedit -b ldapsam:ldapi://var/run/slapd/ldapi -P 'maximum password age' -C -1
account policy "maximum password age" description: Maximum password age, in seconds (default: -1 => never expire passwords)
account policy "maximum password age" value was: 0
account policy "maximum password age" value is now: 4294967295
# Defaults Before reset
Unix username: tom
NT username: tom
Account Flags: [U ]
User SID: S-1-5-21-3818554400-921237426-3143208535-5056
Primary Group SID: S-1-5-21-3818554400-921237426-3143208535-513
Full Name: Tom Thumb
Home Directory: \\filesrvr\homes\tom
HomeDir Drive: H:
Logon Script: logon.bat
Profile Path:
Domain: SRV
Account desc: Thumb Sucker
Workstations:
Munged dial:
Logon time: 0
Logoff time: never
Kickoff time: never
Password last set: Sun, 05 Dec 2010 17:46:51 SST
Password can change: Sun, 05 Dec 2010 17:46:51 SST
Password must change: Sat, 05 Mar 2011 17:46:51 SST
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
init_sam_from_ldap: Failed to get password history for user director
# After reset
Unix username: tom
NT username: tom
Account Flags: [U ]
User SID: S-1-5-21-3818554400-921237426-3143208535-5056
Primary Group SID: S-1-5-21-3818554400-921237426-3143208535-513
Full Name: Tom Thumb
Home Directory: \\filesrvr\homes\tom
HomeDir Drive: H:
Logon Script: logon.bat
Profile Path:
Domain: SRV
Account desc: Thumb Sucker
Workstations:
Munged dial:
Logon time: 0
Logoff time: never
Kickoff time: never
Password last set: Sun, 05 Dec 2010 17:46:51 SST
Password can change: Sun, 05 Dec 2010 17:46:51 SST
Password must change: never
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
Hi Aky,
ReplyDeleteNice post.
Do you know how to change the "Password Last Set" ? I don't see any parameter for that.
Thank you.
Fajar
Have you tried pdbedit -P 'Password Last Set' ?
ReplyDeleteit doesnt work :(
ReplyDeletepdbedit -P'Password last set'
No account policy by that name!
Account policy names are:
min password length
password history
user must logon to change password
maximum password age
minimum password age
lockout duration
reset count minutes
bad lockout attempt
disconnect time
refuse machine password change
You are missing few parameters '-C -1'
Deletepdbedit -b ldapsam:ldapi://var/run/slapd/ldapi -P 'maximum password age' -C -1
I set pdbedit policy "user must logon to change password".
ReplyDeletebut its not working this is not asking to reset password after first logon
please help me out.