Change Samba Password Expiry Setting with pdbedit

We have a Zentyal (Formerly EBox) Linux Small Business Server running as our office file/print server. Its runs smoothly hardly needs any maintenance. Except for this one issue, every few weeks I hear complains from staff that they can't logon to file server.

Quick peek at the Samba server logs reveals that 'password expired'. So there is password aging setting in force here.

 
[2010/12/05 17:33:45, 1] auth/auth_sam.c:sam_account_ok(179) sam_account_ok: Account for user 'tom' password expired!.
[2010/12/05 17:33:45, 1] auth/auth_sam.c:sam_account_ok(180) sam_account_ok: Password expired at 'Sat, 04 Dec 2010 15:20:57 SST' (1291515657) unix time. 

Lets remedy that using Samba pdbedit tool. We are gonna reset the 'Password must change' policy to all the users on the server.

Zentyal uses LDAP to manage the passwords, so we use '-b' option to point to the LDAP backend. And we change the default policy to passwords never expire.



pdbedit -b ldapsam:ldapi://var/run/slapd/ldapi  -P 'maximum password age' -C -1

account policy "maximum password age" description: Maximum password age, in seconds (default: -1 => never expire passwords)
account policy "maximum password age" value was: 0
account policy "maximum password age" value is now: 4294967295

# Defaults Before reset 
Unix username:        tom
NT username:          tom
Account Flags:        [U          ]
User SID:             S-1-5-21-3818554400-921237426-3143208535-5056
Primary Group SID:    S-1-5-21-3818554400-921237426-3143208535-513
Full Name:            Tom Thumb
Home Directory:       \\filesrvr\homes\tom
HomeDir Drive:        H:
Logon Script:         logon.bat
Profile Path:         
Domain:               SRV
Account desc:         Thumb Sucker
Workstations:         
Munged dial:          
Logon time:           0
Logoff time:          never
Kickoff time:         never
Password last set:    Sun, 05 Dec 2010 17:46:51 SST
Password can change:  Sun, 05 Dec 2010 17:46:51 SST
Password must change: Sat, 05 Mar 2011 17:46:51 SST
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
init_sam_from_ldap: Failed to get password history for user director

# After reset

Unix username:        tom
NT username:          tom
Account Flags:        [U          ]
User SID:             S-1-5-21-3818554400-921237426-3143208535-5056
Primary Group SID:    S-1-5-21-3818554400-921237426-3143208535-513
Full Name:            Tom Thumb
Home Directory:       \\filesrvr\homes\tom
HomeDir Drive:        H:
Logon Script:         logon.bat
Profile Path:         
Domain:               SRV
Account desc:         Thumb Sucker
Workstations:         
Munged dial:          
Logon time:           0
Logoff time:          never
Kickoff time:         never
Password last set:    Sun, 05 Dec 2010 17:46:51 SST
Password can change:  Sun, 05 Dec 2010 17:46:51 SST
Password must change: never
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF


5 comments:

  1. Hi Aky,
    Nice post.
    Do you know how to change the "Password Last Set" ? I don't see any parameter for that.
    Thank you.
    Fajar

    ReplyDelete
  2. Have you tried pdbedit -P 'Password Last Set' ?

    ReplyDelete
  3. it doesnt work :(
    pdbedit -P'Password last set'
    No account policy by that name!
    Account policy names are:
    min password length
    password history
    user must logon to change password
    maximum password age
    minimum password age
    lockout duration
    reset count minutes
    bad lockout attempt
    disconnect time
    refuse machine password change

    ReplyDelete
    Replies
    1. You are missing few parameters '-C -1'

      pdbedit -b ldapsam:ldapi://var/run/slapd/ldapi -P 'maximum password age' -C -1

      Delete
  4. I set pdbedit policy "user must logon to change password".
    but its not working this is not asking to reset password after first logon

    please help me out.

    ReplyDelete

You can leave a comment here using your Google account, OpenID or as an anonymous user.