Re: [Samba] pdbedit password must change not following policy
Thank you all for the info, I'm seeing the same thing on my systems (newer version of samba does have net sam change minimum password age, older one does not). So my problem still stands, pdbedit -P maximum password age shows 90 days, as far as that is concerned it's correct, but for whatever reason, it's not adding that 90 days from the password last set date to get the password must change field, so most accounts are locked out, because the password must change date is older then the password last set date... there must be some config or setting on the server somewhere causing this, I just haven't a clue where (I've looked quite a lot). On Sat, Jul 2, 2011 at 11:52 AM, Chris Smith smb...@chrissmith.org wrote: On Sat, Jul 2, 2011 at 9:27 AM, John Drescher dresche...@gmail.com wrote: He is using an ancient version of samba (3.0.10-1.4E) though so the depreciation probably does not apply. Thanks. Missed that sorta - wasn't going to dig through the changelog back to the stone ages. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] pdbedit password must change not following policy
I completely missed this message some how, thank you, looking at the tdb file using tdbtool I do see that maximum password age appears to be set to Z where on the newer version of samba, it doesn't appear to be set. I'm not sure what Z stands for, but is there a way I could go about correcting this, or is my only option to update samba on the server (success) so it will corectly report the password policy of the LDAP server it is using? Thanks for all the help. On Sat, Jul 2, 2011 at 10:27 AM, TAKAHASHI Motonobu mo...@monyo.com wrote: On Fri, Jul 1, 2011 at 7:57 PM, Chris Beach chr...@pintys.com wrote: [root@success]# pdbedit -P maximum password age account policy value for maximum password age is 90 At one time I used pdbedit to force a password change and that stopped working. Apparently it was deprecated in favor of net sam set pwdmustchangenow. net sam set pwdmustchangenow was first introduced at Samba 3.0.25. From: Chris Beach chr...@pintys.com Date: Fri, 1 Jul 2011 19:57:26 -0400 I've got a file server (named success) running Samba version 3.0.10-1.4E. I've also got another file server (named happiness) running Samba version 3.3.15 and LDAP. I've got success pointed to happiness for LDAP in the smb.conf, and running a pdbedit -v user works, it shows the proper information...except for the password must expire, it seemingly ignores the policy that is set on success, ... [root@success]# pdbedit -P maximum password age account policy value for maximum password age is 90 The account policies in which maximum password age is included were always stored at local account_policy.tdb before Samba 3.0.21. After Samba 3.0.21, these are stored at LDAP when LDAP is used as passdb. That's the problem, I think. --- TAKAHASHI Motonobu mo...@samba.gr.jp -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] pdbedit password must change not following policy
From: Chris Beach chr...@pintys.com Date: Mon, 4 Jul 2011 10:16:27 -0400 I'm not sure what Z stands for, but is there a way I could go about correcting this, or is my only option to update samba on the server (success) so it will corectly report the password policy of the LDAP server it is using? Thanks for all the help. AFAIK, you need to upgrade Samba on success at least to 3.0.21, as I said: The account policies in which maximum password age is included were always stored at local account_policy.tdb before Samba 3.0.21. After Samba 3.0.21, these are stored at LDAP when LDAP is used as passdb. --- TAKAHASHI Motonobu mo...@samba.gr.jp -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] pdbedit password must change not following policy
On Fri, Jul 1, 2011 at 7:57 PM, Chris Beach chr...@pintys.com wrote: [root@success]# pdbedit -P maximum password age account policy value for maximum password age is 90 At one time I used pdbedit to force a password change and that stopped working. Apparently it was deprecated in favor of net sam set pwdmustchangenow. I'm guessing the same thing happened to maximum password age. Try using net sam policy set maximum password age instead. Chris -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] pdbedit password must change not following policy
At one time I used pdbedit to force a password change and that stopped working. Apparently it was deprecated in favor of net sam set pwdmustchangenow. I'm guessing the same thing happened to maximum password age. Try using net sam policy set maximum password age instead. He is using an ancient version of samba (3.0.10-1.4E) though so the depreciation probably does not apply. John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] pdbedit password must change not following policy
On Fri, Jul 1, 2011 at 7:57 PM, Chris Beach chr...@pintys.com wrote: [root@success]# pdbedit -P maximum password age account policy value for maximum password age is 90 At one time I used pdbedit to force a password change and that stopped working. Apparently it was deprecated in favor of net sam set pwdmustchangenow. net sam set pwdmustchangenow was first introduced at Samba 3.0.25. From: Chris Beach chr...@pintys.com Date: Fri, 1 Jul 2011 19:57:26 -0400 I've got a file server (named success) running Samba version 3.0.10-1.4E. I've also got another file server (named happiness) running Samba version 3.3.15 and LDAP. I've got success pointed to happiness for LDAP in the smb.conf, and running a pdbedit -v user works, it shows the proper information...except for the password must expire, it seemingly ignores the policy that is set on success, ... [root@success]# pdbedit -P maximum password age account policy value for maximum password age is 90 The account policies in which maximum password age is included were always stored at local account_policy.tdb before Samba 3.0.21. After Samba 3.0.21, these are stored at LDAP when LDAP is used as passdb. That's the problem, I think. --- TAKAHASHI Motonobu mo...@samba.gr.jp -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] pdbedit password must change not following policy
On Sat, Jul 2, 2011 at 9:27 AM, John Drescher dresche...@gmail.com wrote: He is using an ancient version of samba (3.0.10-1.4E) though so the depreciation probably does not apply. Thanks. Missed that sorta - wasn't going to dig through the changelog back to the stone ages. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] pdbedit password must change not following policy
Hey everyone, I've got a file server (named success) running Samba version 3.0.10-1.4E. I've also got another file server (named happiness) running Samba version 3.3.15 and LDAP. I've got success pointed to happiness for LDAP in the smb.conf, and running a pdbedit -v user works, it shows the proper information...except for the password must expire, it seemingly ignores the policy that is set on success, for example: [root@success]# pdbedit -P maximum password age account policy value for maximum password age is 90 yet..: [root@success]# pdbedit -v user Password last set:Tue, 31 May 2011 12:54:11 GMT Password can change: Tue, 07 Dec 2010 09:05:25 GMT *Password must change: Mon, 07 Mar 2011 09:05:25 GMT* Last bad password : 0 Bad password count : 0 should the Password must change not be 90 days after the Password last set? If I do the same command on happiness (the one that runs ldap as well) it outputs as expected. I've been stuck at this forever, am I missing something VERY obvious? Thanks for any help! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
