[Samba] password aging policy vs. special cases
Greetings. I have just upgraded to samba 3.0.25a (from 3.0.24 AFAIR). I have also upgraded schema file in openldap's configuration directory. As I have had some more time I have discovered sambaMaxPwdAge and that it may be read with pdbedit in human readable form. Great :-) But what if I would like to force a user to change her password right at next login? I have tried to set sambaPwdMustChange to `date +%s` (I mean the number), but nothing happened. pdbedit still shows sambaPwdLastSet + sambaMaxPwdAge and windows does not ask for a change :-( Of course! I could set sambaPwdLastSet to 1, but please admit, this is kind of counter intuitive. Is this the only way to force user to change her password sooner (or later) than it is now? Best regards, PS. Please do CC. -- Miłego dnia Łukasz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] password aging in Samba 3
Ok, I'm rigging myself up a Samba 3 PDC for a variety of Windows clients. Anything from 98 on up to XP and everything in between. For the most part it hasn't been a big deal. I've got a couple of questions I want to run by the list and see if anyone has figured this one out. My first question is about the [profiles] share. Is this share really needed? The documentation never really comes out and says it. I'm not setting up roaming profiles so I'm assuming I won't need it. The next question is about password aging. I have a client that would like to have the user have to reset their password after 60 days. I've seen some inklings online of being able to do with pdbedit, but the documentation seems non-existent at best on how to do this. Maybe this is also doable with a policy setup. I haven't actually tried that one yet so if that works just let me know and I'll dig into that. Thanks in advance. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] password aging in Samba 3
On Tuesday 21 June 2005 09:03, Kurt Bechstein wrote: Ok, I'm rigging myself up a Samba 3 PDC for a variety of Windows clients. Anything from 98 on up to XP and everything in between. For the most part it hasn't been a big deal. I've got a couple of questions I want to run by the list and see if anyone has figured this one out. My first question is about the [profiles] share. Is this share really needed? The documentation never really comes out and says it. I'm not setting up roaming profiles so I'm assuming I won't need it. If you are not using roaming profiles you do NOT need a profiles share. There! I've said it! The next question is about password aging. I have a client that would like to have the user have to reset their password after 60 days. I've seen some inklings online of being able to do with pdbedit, but the documentation seems non-existent at best on how to do this. Maybe this is also doable with a policy setup. I haven't actually tried that one yet so if that works just let me know and I'll dig into that. Thanks in advance. You can use either the NT4 Domain User Manager to manage all aspects of your user and group accounts, or you can use pdbedit from the command line. I am in the process of competing the second edition of the Samba-3 HOWTO. Apologies that it has not be done faster. I've been working full-time on the documentataion since January 2005. - John T. -- John H Terpstra Samba-Team Member Phone: +1 (650) 580-8668 Author: The Official Samba-3 HOWTO Reference Guide, ISBN: 0131453556 Samba-3 by Example, ISBN: 0131472216 Hardening Linux, ISBN: 0072254971 Other books in production. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] password aging in Samba 3
On Tue, 2005-06-21 at 09:13 -0600, John H Terpstra wrote: On Tuesday 21 June 2005 09:03, Kurt Bechstein wrote: Ok, I'm rigging myself up a Samba 3 PDC for a variety of Windows clients. Anything from 98 on up to XP and everything in between. For the most part it hasn't been a big deal. I've got a couple of questions I want to run by the list and see if anyone has figured this one out. My first question is about the [profiles] share. Is this share really needed? The documentation never really comes out and says it. I'm not setting up roaming profiles so I'm assuming I won't need it. If you are not using roaming profiles you do NOT need a profiles share. There! I've said it! Ok, Thanks! The next question is about password aging. I have a client that would like to have the user have to reset their password after 60 days. I've seen some inklings online of being able to do with pdbedit, but the documentation seems non-existent at best on how to do this. Maybe this is also doable with a policy setup. I haven't actually tried that one yet so if that works just let me know and I'll dig into that. Thanks in advance. You can use either the NT4 Domain User Manager to manage all aspects of your user and group accounts, or you can use pdbedit from the command line. I've tried using the NT4 Domain Manager in conjunction with the tdbsam backed but haven't had any luck as far as password aging goes. It doesn't seem to be making any changes at least as far pdbedit -L -v goes. Also, I've tried to change the max password age via pdbedit -P max password age -C . However, according to M$'s documentation this value is stored from 1-999 but this doesn't look like what the tdb file is storing. What type of parameter do I need to pass to pdbedit to enforce a 60 day password expiration? I'm doing this on Red Hat enterprise 4 by the way. Thanks in advance. I am in the process of competing the second edition of the Samba-3 HOWTO. Apologies that it has not be done faster. I've been working full-time on the documentataion since January 2005. This will be excellent. I've had my nose buried in the first edition for the last couple of days and it has been very helpful. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] password aging in Samba 3
On Tuesday 21 June 2005 09:26, Kurt Bechstein wrote: The next question is about password aging. I have a client that would like to have the user have to reset their password after 60 days. I've seen some inklings online of being able to do with pdbedit, but the documentation seems non-existent at best on how to do this. Maybe this is also doable with a policy setup. I haven't actually tried that one yet so if that works just let me know and I'll dig into that. Thanks in advance. You can use either the NT4 Domain User Manager to manage all aspects of your user and group accounts, or you can use pdbedit from the command line. I've tried using the NT4 Domain Manager in conjunction with the tdbsam backed but haven't had any luck as far as password aging goes. It doesn't seem to be making any changes at least as far pdbedit -L -v goes. Also, I've tried to change the max password age via pdbedit -P max password age -C . However, according to M$'s documentation this value is stored from 1-999 but this doesn't look like what the tdb file is storing. What type of parameter do I need to pass to pdbedit to enforce a 60 day password expiration? I'm doing this on Red Hat enterprise 4 by the way. Thanks in advance. The maximum password age is stored in seconds. 1 day == 86400 seconds The useful range that matches NT4 capabilities is 86400 - 86313600 sec (999 days). When you set this to never expire in NT4 it sets to 4294967295 sec. So, 60 days = 5184000 - John T. -- John H Terpstra Samba-Team Member Phone: +1 (650) 580-8668 Author: The Official Samba-3 HOWTO Reference Guide, ISBN: 0131453556 Samba-3 by Example, ISBN: 0131472216 Hardening Linux, ISBN: 0072254971 Other books in production. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Password Aging with Winbind?
Dear list, I'd like to know if anyone has a solution that allows a unix account with expired password to change the password. My problem is similar to what's described here, but it seems no one answered. http://lists.samba.org/archive/samba/2004-January/077899.html If I missed any answer or if someone came up with a solution, could it be posted here? I have samba 2.2.9 on Solaris 8. Also, according to my truss, it seems pam_unix.so.1 is the problem (new password is asked but right after pam_unix.so.1 is called, the error message is printed 3 times), but could anyone provide an insight if not an answer? ++quote++ Interaction with Password Aging When password aging is turned on, only a limited set of pos- sible name services are permitted for the passwd: database in the /etc/nsswitch.conf file: passwd: files passwd: files nis passwd: files nisplus passwd: files ldap passwd: compat passwd_compat: nisplus passwd_compat: ldap ++unquote++ Thanks. Ben Kim -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba Password Aging
On Tue, 2004-02-03 at 09:12, Kenneth Loafman wrote: Samba version 2.999+3.0cvs20020906-1 for Debian Somehow the Samba password is aging and is requiring a reset once a month for a couple of users. I can't see anything in the man pages to indicate that the passwords age, so how is Samba doing it, and how do I stop this behavior? By not running such an old version of Samba. Current versions of samba in debian use smbpasswd by default (will keep tdbsam if you upgrade however) and do not have the 21 day password expiry. pdbedit allows you to see into the tdbsam. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba Password Aging
Andrew Bartlett wrote: On Tue, 2004-02-03 at 09:12, Kenneth Loafman wrote: Samba version 2.999+3.0cvs20020906-1 for Debian Somehow the Samba password is aging and is requiring a reset once a month for a couple of users. I can't see anything in the man pages to indicate that the passwords age, so how is Samba doing it, and how do I stop this behavior? By not running such an old version of Samba. Current versions of samba in debian use smbpasswd by default (will keep tdbsam if you upgrade however) and do not have the 21 day password expiry. pdbedit allows you to see into the tdbsam. Updated to latest Debian (3.0x) and it kept the tdb password file. Any way to convert back to smbpasswd without a complete uninstall/reinstall? ...Ken -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba Password Aging
Kenneth Loafman wrote: Andrew Bartlett wrote: On Tue, 2004-02-03 at 09:12, Kenneth Loafman wrote: Samba version 2.999+3.0cvs20020906-1 for Debian Somehow the Samba password is aging and is requiring a reset once a month for a couple of users. I can't see anything in the man pages to indicate that the passwords age, so how is Samba doing it, and how do I stop this behavior? By not running such an old version of Samba. Current versions of samba in debian use smbpasswd by default (will keep tdbsam if you upgrade however) and do not have the 21 day password expiry. pdbedit allows you to see into the tdbsam. Updated to latest Debian (3.0x) and it kept the tdb password file. Any way to convert back to smbpasswd without a complete uninstall/reinstall? Never mind. smbpasswd and smb.conf man pages answered it. A simple change to 'passdb backend' and a 'pdbedit -e ...' fixed it. Now, no more evil password aging. ...Ken -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba Password Aging
Samba version 2.999+3.0cvs20020906-1 for Debian Somehow the Samba password is aging and is requiring a reset once a month for a couple of users. I can't see anything in the man pages to indicate that the passwords age, so how is Samba doing it, and how do I stop this behavior? One user is on Windows 2000 and the other on Windows XP. The Windows passwords are not aging and neither are the Linux passwords on the Samba server itself, just the Samba password. Plus, with the new *.tdb format, how do you see what users are there? This seems to be a valid security hole if there is no Samba machanism to see into this mysterious database to find out what settings are there and to audit the users that might show up without authorization. ...Thanks, ...Ken -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Password Aging Policies - SAMBA
On Fri, 2003-04-04 at 07:15, John H Terpstra wrote: On Thu, 3 Apr 2003, MARK LICHTENBERG wrote: I am new to SAMBA. I am using it with LINUX and I love it! Nice change from you know who. I am sorry if this is a lame question, but I am setting up a Primary Domain Controller and a Backup Domain Controller. All the clients are Windows 2K or XP. I need the clients to reset their passwords every 30 days. I am having a hard time locating a procedure to set this feature. LINUX has 'chage' but that does not seem to apply to SAMBA. Does anyone know how I can set up a policy for my SAMBA clients. to force them to change their passwords? I hope so, because I really want to use LINUX/SAMBA for my domain controllers, and this is my last hurdle. This is something that may make it into the Samba-3.0.0 code branch but is not available with Samba-2.2.x. Already implemented in Samba 3.0, for pdb_ldap, pdb_tdbsam. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] password aging
Hi, I recently upgraded to Samba 2.2.8 running on Solaris 8. Since doing so, I have noticed that I get a message telling me my password will expire in x days, and if I want to change it now. I never had this message show up before. In looking through the archives, I saw that password aging is supposed to go into Samba 3.x but hasn't made it into the 2.2.x branch. So why am I getting these messages now? How can I manage it? I would like to be able to do the equivelent of checking the box that makes it so that the passwords will never expire, then let Novell force the user to change their password. The user would then synch (change both) when they change their novell password. I appreciate your help. Regards, Arnold Andrews MCAD/Unix Systems Administrator Seagate Technology, LLC -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] password aging
Hi Arnold, I recently upgraded to Samba 2.2.8 running on Solaris 8. Since doing so, I have noticed that I get a message telling me my password will expire in x days, and if I want to change it now. I never had this message show up before. check date and time on client and samba machine. My christal ball say, your Solaris is your PDC. der tom __ UNICEF bittet um Spenden fur die Kinder im Irak! Hier online an UNICEF spenden: https://spenden.web.de/unicef/special/?mc=021101 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] password aging
I recently upgraded to Samba 2.2.8 running on Solaris 8. Since doing so, I have noticed that I get a message telling me my password will expire in x days, and if I want to change it now. I never had this message show up before. check date and time on client and samba machine. My christal ball say, your Solaris is your PDC. Yes, my Solaris host is the PDC. ??? The date and time are within a minute of each other on the Samba server and the PC. What does the date and time have to do with the epiration message? Thanks again, Arnold -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Password Aging Policies - SAMBA
On Thu, 3 Apr 2003, MARK LICHTENBERG wrote: I am new to SAMBA. I am using it with LINUX and I love it! Nice change from you know who. I am sorry if this is a lame question, but I am setting up a Primary Domain Controller and a Backup Domain Controller. All the clients are Windows 2K or XP. I need the clients to reset their passwords every 30 days. I am having a hard time locating a procedure to set this feature. LINUX has 'chage' but that does not seem to apply to SAMBA. Does anyone know how I can set up a policy for my SAMBA clients. to force them to change their passwords? I hope so, because I really want to use LINUX/SAMBA for my domain controllers, and this is my last hurdle. This is something that may make it into the Samba-3.0.0 code branch but is not available with Samba-2.2.x. - John T. -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Password Aging Policies - SAMBA
I am sorry if this is a lame question, but I am setting up a Primary Domain Controller and a Backup Domain Controller. All the clients are Windows 2K or XP. I need the clients to reset their passwords every 30 days. I am having a hard time locating a procedure to set this feature. LINUX has 'chage' but that does not seem to apply to SAMBA. Samba 2.x does not have this built in. Looks like Samba 3.0 will have this as a feature. For now you get to do it yourself. If you check the archives you'll find a number of homebrew solutions to password aging. Patrick -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] password aging
Still no luck. I set 'obey pam restrictions = yes' and 'pam password change yes', I already had the 'unix password sync = yes'. I can see entries in the log like this : Mar 4 13:13:42 servername samba(pam_unix)[12225]: session opened for user username by (uid=0) Mar 4 13:14:37 servername samba(pam_unix)[12225]: session closed for users username So I'm assuming samba is working with pam. I have also successfully changed my user password via the client. I have edited /etc/shadow to expire my password in 1 day. when I log into the machine via ssh I get the messages saying my password is about to expire, but when I log onto the PC (which has joined the domain) I don't get the popup message. If my password does expire on linux/samba, I get locked out of the domain without receiving any message on the PC. (This happened to me when my password expired yesterday). I have samba and pam implemented, do I need to implement something else? Should I try implementing OpenLDAP? I don't want to implement an alpha version of samba 3.0 since this is a production environment and I can't risk having users locked out. Is there somewhere else I can look to get documentation about this? Thank you, Joseph Morin Dominion Diagnostics Andrew Bartlett [EMAIL PROTECTED] rgTo [EMAIL PROTECTED] 02/19/2003 06:12 cc PM[EMAIL PROTECTED] Subject Re: [Samba] password aging On Thu, 2003-02-20 at 07:11, [EMAIL PROTECTED] wrote: What are my options for implementing password aging using samba as my PDC ? I can set the users Linux password to expire, but it doesn't seem to propagate to their samba passwords. I absolutely need this functionality. Is OpenLDAP the answer? If you set 'obey pam restrictions = yes' and setup the correct PAM configuration files, then Samba will also honer this. You should also set 'unix password sync = yes' and 'pam password change yes' so that the password changes update the PAM backend too. Or move to Samba 3.0 (currently alpha) and use the pdb_ldap backend to store your passwords, which fully supports password expiry, based on our own 'pwdMustChange' attribute. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net (See attached file: signature.asc)-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] password aging
On Wed, 2003-03-05 at 06:12, [EMAIL PROTECTED] wrote: Still no luck. I set 'obey pam restrictions = yes' and 'pam password change yes', I already had the 'unix password sync = yes'. I can see entries in the log like this : Mar 4 13:13:42 servername samba(pam_unix)[12225]: session opened for user username by (uid=0) Mar 4 13:14:37 servername samba(pam_unix)[12225]: session closed for users username So I'm assuming samba is working with pam. I have also successfully changed my user password via the client. I have edited /etc/shadow to expire my password in 1 day. when I log into the machine via ssh I get the messages saying my password is about to expire, but when I log onto the PC (which has joined the domain) I don't get the popup message. If my password does expire on linux/samba, I get locked out of the domain without receiving any message on the PC. (This happened to me when my password expired yesterday). I have samba and pam implemented, do I need to implement something else? Don't use Win9X as a 'domain' client. Samba 2.2. does not support sensible error codes to Win9X for this behavior. Samba 3.0 does, however (due to a complete auth rewrite). Should I try implementing OpenLDAP? I don't want to implement an alpha version of samba 3.0 since this is a production environment and I can't risk having users locked out. Is there somewhere else I can look to get documentation about this? Thank you, Joseph Morin Dominion Diagnostics Andrew Bartlett [EMAIL PROTECTED] rgTo [EMAIL PROTECTED] 02/19/2003 06:12 cc PM[EMAIL PROTECTED] Subject Re: [Samba] password aging On Thu, 2003-02-20 at 07:11, [EMAIL PROTECTED] wrote: What are my options for implementing password aging using samba as my PDC ? I can set the users Linux password to expire, but it doesn't seem to propagate to their samba passwords. I absolutely need this functionality. Is OpenLDAP the answer? If you set 'obey pam restrictions = yes' and setup the correct PAM configuration files, then Samba will also honer this. You should also set 'unix password sync = yes' and 'pam password change yes' so that the password changes update the PAM backend too. Or move to Samba 3.0 (currently alpha) and use the pdb_ldap backend to store your passwords, which fully supports password expiry, based on our own 'pwdMustChange' attribute. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net (See attached file: signature.asc) -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] password aging
Sorry for the confusion, I'm using Win2k clients, not Win9X. Joseph Morin Dominion Diagnostics Andrew Bartlett [EMAIL PROTECTED] rgTo [EMAIL PROTECTED] 03/05/2003 04:59 cc PMAndrew Bartlett [EMAIL PROTECTED], [EMAIL PROTECTED] Subject Re: [Samba] password aging On Wed, 2003-03-05 at 06:12, [EMAIL PROTECTED] wrote: Still no luck. I set 'obey pam restrictions = yes' and 'pam password change yes', I already had the 'unix password sync = yes'. I can see entries in the log like this : Mar 4 13:13:42 servername samba(pam_unix)[12225]: session opened for user username by (uid=0) Mar 4 13:14:37 servername samba(pam_unix)[12225]: session closed for users username So I'm assuming samba is working with pam. I have also successfully changed my user password via the client. I have edited /etc/shadow to expire my password in 1 day. when I log into the machine via ssh I get the messages saying my password is about to expire, but when I log onto the PC (which has joined the domain) I don't get the popup message. If my password does expire on linux/samba, I get locked out of the domain without receiving any message on the PC. (This happened to me when my password expired yesterday). I have samba and pam implemented, do I need to implement something else? Don't use Win9X as a 'domain' client. Samba 2.2. does not support sensible error codes to Win9X for this behavior. Samba 3.0 does, however (due to a complete auth rewrite). Should I try implementing OpenLDAP? I don't want to implement an alpha version of samba 3.0 since this is a production environment and I can't risk having users locked out. Is there somewhere else I can look to get documentation about this? Thank you, Joseph Morin Dominion Diagnostics Andrew Bartlett [EMAIL PROTECTED] rg To [EMAIL PROTECTED] 02/19/2003 06:12 cc PM[EMAIL PROTECTED] Subject Re: [Samba] password aging On Thu, 2003-02-20 at 07:11, [EMAIL PROTECTED] wrote: What are my options for implementing password aging using samba as my PDC ? I can set the users Linux password to expire, but it doesn't seem to propagate to their samba passwords. I absolutely need this functionality. Is OpenLDAP the answer? If you set 'obey pam restrictions = yes' and setup the correct PAM configuration files, then Samba will also honer this. You should also set 'unix password sync = yes' and 'pam password change yes' so that the password changes update the PAM backend too. Or move to Samba 3.0 (currently alpha) and use the pdb_ldap backend to store your passwords, which fully supports password expiry, based on our own 'pwdMustChange' attribute. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net (See attached file: signature.asc) -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net (See attached file: signature.asc)-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] password aging
What are my options for implementing password aging using samba as my PDC ? I can set the users Linux password to expire, but it doesn't seem to propagate to their samba passwords. I absolutely need this functionality. Is OpenLDAP the answer? Joseph Morin -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] password aging
On Thu, 2003-02-20 at 07:11, [EMAIL PROTECTED] wrote: What are my options for implementing password aging using samba as my PDC ? I can set the users Linux password to expire, but it doesn't seem to propagate to their samba passwords. I absolutely need this functionality. Is OpenLDAP the answer? If you set 'obey pam restrictions = yes' and setup the correct PAM configuration files, then Samba will also honer this. You should also set 'unix password sync = yes' and 'pam password change yes' so that the password changes update the PAM backend too. Or move to Samba 3.0 (currently alpha) and use the pdb_ldap backend to store your passwords, which fully supports password expiry, based on our own 'pwdMustChange' attribute. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba password aging w/win98 Clients
Hello all. Thanks so much with the assistance people provided with helping me set up a pdc, and giving me the hints to be able to change my smbpasswd and have it sync with the passwd file, from the win98 client. Now I need to figure out how to enforce password aging so people will change their passwords, and be prompted at the win98 client to do so. Here is what happens now. When the unix password expires, the win98 client user can still log into the domain, it looks like because the smbpasswd does not expire. Any other function that requires the unix passwd (mail, ssh) does not work of course. Here is my chat line in the smb.conf: passwd program = /usr/bin/passwd %u passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n unix password sync = Yes This part works fine. When the smbpasswd is changed the unix passwd is changed as well. Is there any way to have them expire at the same time as well and a prompt sent out to the win98 clients so they know to change the password? Thanks in advance everyone! Bob -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Password aging?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi there, can you propose a way to implement password aging in samba 2.x? Thanks, - -- Dimitrios Stergiou System, Network and Security Administration Group Intracom S.A -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE+JslGcAv8apx8VeARAlTLAKCGyHJQNP9sntuVLb7rp59Uuw07gwCdH38h XOHBLgQ6tzYl+21LL0Sm3s0= =Qw4R -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Password aging ...
Greetings ... A quick question more to confirm a few things reguarding SMB passwords, which I hope might be able to look at for password aging. I saw some discussion on samba-tech list, but nothing conclusive. LM and NT hashs don't have a salt? Do they? ... In other words, a password password LM hashed, always comes out as E52CAC67419A9A224A3B108F3FA6CB6D not matter the case? Just checks, but I take it a password password NT hashed is case sencetive, but still no salt, which means one could search a DB of a large number of LM or NT hashed to crack a LM/NT hash? I understand that we can't use PAM cracklib to do password sanity, but we could use all known hashs in a smb passwd DB, ie ... search ones local LDAP DB for matching LM/NT hashs and not accept password. But I think that the rpc's to look after password expire and sanity have not been finished, am I correct in this thinking? Thanks. Mailed Lee -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Password aging ...
C.Lee Taylor wrote: Greetings ... A quick question more to confirm a few things reguarding SMB passwords, which I hope might be able to look at for password aging. I saw some discussion on samba-tech list, but nothing conclusive. LM and NT hashs don't have a salt? Do they? ... In other words, a password password LM hashed, always comes out as E52CAC67419A9A224A3B108F3FA6CB6D not matter the case? Just checks, but I take it a password password NT hashed is case sencetive, but still no salt, which means one could search a DB of a large number of LM or NT hashed to crack a LM/NT hash? Fun, isn't it :-) Anyway, the passwords are 'paintext equivilant', so you don't even need to crack them. I understand that we can't use PAM cracklib to do password sanity, but we could use all known hashs in a smb passwd DB, ie ... search ones local LDAP DB for matching LM/NT hashs and not accept password. But I think that the rpc's to look after password expire and sanity have not been finished, am I correct in this thinking? Password expiry is implemented in Samba 3.0, password sainity not yet implemented. (Patches welcome, see previous discussion). Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba