[Samba] password expiration
Greetings. I have problem with password expiration problem i cannot
handle myself, so i wrote in this list.
Recently i discovered that a newly created samba account has already
expired password.
smbldap-useradd -a -d /home/tommy -G education -s /bin/bash -M tommy -c
"Tommy T." tommy
smbldap-passwd tommy
getent shadow
user:*:::0
user2:*:::0
user3:*:::3650
tommy:*:::3650
su tommy
pam_mount password:
Password aged
Enter login(LDAP) password:
auth.log
/dev/pts/5 user:tommy
Nov 26 16:47:34 it-chief su[5638]: pam_unix(su:auth): authentication
failure; logname= uid=1001 euid=0 tty=/dev/pts/5 ruser=user rhost=
user=tommy
Nov 26 16:47:34 it-chief su[5638]: pam_unix(su:account): expired
password for user tommy (password aged)
Nov 26 16:47:34 it-chief su[5638]: pam_unix(su:chauthtok): user "tommy"
does not exist in /etc/passwd
Nov 26 16:48:12 it-chief su[5638]: pam_chauthtok: Authentication token
manipulation error
Nov 26 16:48:12 it-chief su[5638]: FAILED su for tommy by user
smb.conf
[global]
workgroup = WORKGROUP
server string = %h server
; wins server = w.x.y.z
dns proxy = no
; name resolve order = lmhosts host wins bcast
; interfaces = 127.0.0.0/8 eth0
; bind interfaces only = yes
log file = /var/log/samba/log.%m
max log size = 1000
syslog only = yes
syslog = 0
panic action = /usr/share/samba/panic-action %d
log level = 3 vfs:2
security = user
encrypt passwords = true
obey pam restrictions = no
; unix password sync = no
ldap passwd sync = yes
passwd program = /usr/sbin/smbldap-passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*all*authentication*tokens*updated
pam password change = no
passdb backend = ldapsam:ldap://auth.workgroup
ldap ssl = no
ldap admin dn = cn=admin,dc=workgroup
ldap suffix = dc=workgroup
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Users
unix extensions = no
; domain logons = yes
; logon path = \\%N\profiles\%U
; logon drive = H:
; logon script = logon.cmd
add user script = /usr/sbin/smbldap-useradd -m "%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
ldap delete dn = yes
delete user script = /usr/sbin/smbldap-userdel "%u"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
smbldap.conf
SID="S-1-5-21-482339686-3080510186-2817641028"
sambaDomain="WORKGROUP"
slaveLDAP="auth.workgroup"
slavePort="389"
masterLDAP="auth.workgroup"
masterPort="389"
ldapTLS="0"
verify="none"
suffix="dc=workgroup"
usersdn="ou=Users,${suffix}"
computersdn="ou=Computers,${suffix}"
groupsdn="ou=Groups,${suffix}"
idmapdn="ou=Users,${suffix}"
sambaUnixIdPooldn="sambaDomainName=WORKGROUP,${suffix}"
scope="sub"
hash_encrypt="SSHA"
crypt_salt_format="%s"
userLoginShell="/bin/bash"
userHome="/home/%U"
userHomeDirectoryMode="700"
userGecos="System User"
defaultUserGid="513"
defaultComputerGid="515"
skeletonDir="/etc/skel"
defaultMaxPasswordAge="365"
userSmbHome="\\NAS\%U"
userProfile="\\NAS\profiles\%U"
userHomeDrive="H:"
userScript="%U.cmd"
mailDomain="workgroup"
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"
slapd.conf
include/etc/ldap/schema/core.schema
include/etc/ldap/schema/cosine.schema
include/etc/ldap/schema/inetorgperson.schema
include/etc/ldap/schema/misc.schema
include/etc/ldap/schema/nis.schema
include/etc/ldap/schema/samba.schema
pidfile /var/run/slapd/slapd.pid
argsfile/var/run/slapd/slapd.args
loglevel256
modulepath/usr/lib/ldap
moduleloadback_bdb
sizelimit 500
tool-threads 1
backendbdb
databasebdb
suffix "dc=workgroup"
directory "/var/lib/ldap"
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
indexobjectClasseq
indexcnpres,sub,eq
indexsnpres,sub,eq
indexuidpres,sub,eq
indexdisplayNamepres,sub,eq
indexdefaultsub
indexuidNumbereq
indexgidNumbereq
indexmail,givenNameeq,subinitial
indexdceq
indexmemberUideq
indexsambaSIDeq
indexsambaPrimaryGroupSIDeq
indexsambaDomainNameeq
indexsambaGroupTypeeq
indexsambaSIDListeq
indexuniqueMembereq
lastmod on
checkpoint 512 30
access to
attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword
by dn="cn=admin,dc=workgroup" write
by a
[Samba] password expiration problem
Greetings. I have problem with password expiration problem i cannot
handle myself, so i wrote in this list.
Recently i discovered that a newly created samba account has already
expired password.
smbldap-useradd -a -d /home/tommy -G education -s /bin/bash -M tommy -c
"Tommy T." tommy
smbldap-passwd tommy
getent shadow
user:*:::0
user2:*:::0
user3:*:::3650
tommy:*:::3650
su tommy
pam_mount password:
Password aged
Enter login(LDAP) password:
auth.log
/dev/pts/5 user:tommy
Nov 26 16:47:34 it-chief su[5638]: pam_unix(su:auth): authentication
failure; logname= uid=1001 euid=0 tty=/dev/pts/5 ruser=user rhost=
user=tommy
Nov 26 16:47:34 it-chief su[5638]: pam_unix(su:account): expired
password for user tommy (password aged)
Nov 26 16:47:34 it-chief su[5638]: pam_unix(su:chauthtok): user "tommy"
does not exist in /etc/passwd
Nov 26 16:48:12 it-chief su[5638]: pam_chauthtok: Authentication token
manipulation error
Nov 26 16:48:12 it-chief su[5638]: FAILED su for tommy by user
smb.conf
[global]
workgroup = WORKGROUP
server string = %h server
; wins server = w.x.y.z
dns proxy = no
; name resolve order = lmhosts host wins bcast
; interfaces = 127.0.0.0/8 eth0
; bind interfaces only = yes
log file = /var/log/samba/log.%m
max log size = 1000
syslog only = yes
syslog = 0
panic action = /usr/share/samba/panic-action %d
log level = 3 vfs:2
security = user
encrypt passwords = true
obey pam restrictions = no
; unix password sync = no
ldap passwd sync = yes
passwd program = /usr/sbin/smbldap-passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*all*authentication*tokens*updated
pam password change = no
passdb backend = ldapsam:ldap://auth.workgroup
ldap ssl = no
ldap admin dn = cn=admin,dc=workgroup
ldap suffix = dc=workgroup
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Users
unix extensions = no
; domain logons = yes
; logon path = \\%N\profiles\%U
; logon drive = H:
; logon script = logon.cmd
add user script = /usr/sbin/smbldap-useradd -m "%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
ldap delete dn = yes
delete user script = /usr/sbin/smbldap-userdel "%u"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
smbldap.conf
SID="S-1-5-21-482339686-3080510186-2817641028"
sambaDomain="WORKGROUP"
slaveLDAP="auth.workgroup"
slavePort="389"
masterLDAP="auth.workgroup"
masterPort="389"
ldapTLS="0"
verify="none"
suffix="dc=workgroup"
usersdn="ou=Users,${suffix}"
computersdn="ou=Computers,${suffix}"
groupsdn="ou=Groups,${suffix}"
idmapdn="ou=Users,${suffix}"
sambaUnixIdPooldn="sambaDomainName=WORKGROUP,${suffix}"
scope="sub"
hash_encrypt="SSHA"
crypt_salt_format="%s"
userLoginShell="/bin/bash"
userHome="/home/%U"
userHomeDirectoryMode="700"
userGecos="System User"
defaultUserGid="513"
defaultComputerGid="515"
skeletonDir="/etc/skel"
defaultMaxPasswordAge="365"
userSmbHome="\\NAS\%U"
userProfile="\\NAS\profiles\%U"
userHomeDrive="H:"
userScript="%U.cmd"
mailDomain="workgroup"
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"
slapd.conf
include/etc/ldap/schema/core.schema
include/etc/ldap/schema/cosine.schema
include/etc/ldap/schema/inetorgperson.schema
include/etc/ldap/schema/misc.schema
include/etc/ldap/schema/nis.schema
include/etc/ldap/schema/samba.schema
pidfile /var/run/slapd/slapd.pid
argsfile/var/run/slapd/slapd.args
loglevel256
modulepath/usr/lib/ldap
moduleloadback_bdb
sizelimit 500
tool-threads 1
backendbdb
databasebdb
suffix "dc=workgroup"
directory "/var/lib/ldap"
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
indexobjectClasseq
indexcnpres,sub,eq
indexsnpres,sub,eq
indexuidpres,sub,eq
indexdisplayNamepres,sub,eq
indexdefaultsub
indexuidNumbereq
indexgidNumbereq
indexmail,givenNameeq,subinitial
indexdceq
indexmemberUideq
indexsambaSIDeq
indexsambaPrimaryGroupSIDeq
indexsambaDomainNameeq
indexsambaGroupTypeeq
indexsambaSIDListeq
indexuniqueMembereq
lastmod on
checkpoint 512 30
access to
attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword
by dn="cn=admin,dc=workgroup"
