samba-tool user setexpiry is broken in 4.7

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

samba-tool user setexpiry is broken in 4.7

Samba - samba-technical mailing list
Hi,

The command 'samba-tool user setexpiry' doesn't work!

Reproducer:

make testenv SELFTEST_TESTENV=ad_member

$ bin/samba-tool user setexpiry alice --days=4 --URL=ldap://
localdc.samba.example.com --username=administrator --password=locDCpass1
Expiry for user 'alice' set to 4 days.

$ bin/wbinfo --name-to-sid alice
S-1-5-21-1321629873-2603511802-1948877269-1105 SID_USER (1)

$ bin/rpcclient ncacn_np:localdc -UAdministrator%locDCpass1 -c "queryuser
1105"
User Name   :   alice
...
Password last set Time   :      Tue, 01 Aug 2017 17:50:08 CEST
Password must change Time:      Tue, 12 Sep 2017 17:50:08 CEST


The must change time is 41 days away and not 4 days as set!


Either the test python/samba/tests/samba_tool/user.py does not work as it
should, or there is a bug in the rpc server.




        Andreas

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: samba-tool user setexpiry is broken in 4.7

Samba - samba-technical mailing list
On Tue, 01 Aug 2017 18:07:52 +0200
Andreas Schneider via samba-technical <[hidden email]>
wrote:

> Hi,
>
> The command 'samba-tool user setexpiry' doesn't work!
>
> Reproducer:
>
> make testenv SELFTEST_TESTENV=ad_member
>
> $ bin/samba-tool user setexpiry alice --days=4 --URL=ldap://
> localdc.samba.example.com --username=administrator
> --password=locDCpass1 Expiry for user 'alice' set to 4 days.
>
> $ bin/wbinfo --name-to-sid alice
> S-1-5-21-1321629873-2603511802-1948877269-1105 SID_USER (1)
>
> $ bin/rpcclient ncacn_np:localdc -UAdministrator%locDCpass1 -c
> "queryuser 1105"
> User Name   :   alice
> ...
> Password last set Time   :      Tue, 01 Aug 2017 17:50:08 CEST
> Password must change Time:      Tue, 12 Sep 2017 17:50:08 CEST
>
>
> The must change time is 41 days away and not 4 days as set!
>
>
> Either the test python/samba/tests/samba_tool/user.py does not work
> as it should, or there is a bug in the rpc server.
>

Hi Andreas, I think you are getting a bit mixed up here, account expiry
has nothing to do with the password.

Rowland



Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: samba-tool user setexpiry is broken in 4.7

Samba - samba-technical mailing list
On Tuesday, 1 August 2017 19:14:02 CEST Rowland Penny wrote:

> On Tue, 01 Aug 2017 18:07:52 +0200
> Andreas Schneider via samba-technical <[hidden email]>
>
> wrote:
> > Hi,
> >
> > The command 'samba-tool user setexpiry' doesn't work!
> >
> > Reproducer:
> >
> > make testenv SELFTEST_TESTENV=ad_member
> >
> > $ bin/samba-tool user setexpiry alice --days=4 --URL=ldap://
> > localdc.samba.example.com --username=administrator
> > --password=locDCpass1 Expiry for user 'alice' set to 4 days.
> >
> > $ bin/wbinfo --name-to-sid alice
> > S-1-5-21-1321629873-2603511802-1948877269-1105 SID_USER (1)
> >
> > $ bin/rpcclient ncacn_np:localdc -UAdministrator%locDCpass1 -c
> > "queryuser 1105"
> > User Name   :   alice
> > ...
> > Password last set Time   :      Tue, 01 Aug 2017 17:50:08 CEST
> > Password must change Time:      Tue, 12 Sep 2017 17:50:08 CEST
> >
> >
> > The must change time is 41 days away and not 4 days as set!
> >
> >
> > Either the test python/samba/tests/samba_tool/user.py does not work
> > as it should, or there is a bug in the rpc server.
>
> Hi Andreas, I think you are getting a bit mixed up here, account expiry
> has nothing to do with the password.

Damn, how do you change the password expiration?

--
Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             [hidden email]
www.samba.org

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: samba-tool user setexpiry is broken in 4.7

Samba - samba-technical mailing list
On Wednesday, 2 August 2017 07:46:40 CEST Andreas Schneider via samba-
technical wrote:

> On Tuesday, 1 August 2017 19:14:02 CEST Rowland Penny wrote:
> > On Tue, 01 Aug 2017 18:07:52 +0200
> > Andreas Schneider via samba-technical <[hidden email]>
> >
> > wrote:
> > > Hi,
> > >
> > > The command 'samba-tool user setexpiry' doesn't work!
> > >
> > > Reproducer:
> > >
> > > make testenv SELFTEST_TESTENV=ad_member
> > >
> > > $ bin/samba-tool user setexpiry alice --days=4 --URL=ldap://
> > > localdc.samba.example.com --username=administrator
> > > --password=locDCpass1 Expiry for user 'alice' set to 4 days.
> > >
> > > $ bin/wbinfo --name-to-sid alice
> > > S-1-5-21-1321629873-2603511802-1948877269-1105 SID_USER (1)
> > >
> > > $ bin/rpcclient ncacn_np:localdc -UAdministrator%locDCpass1 -c
> > > "queryuser 1105"
> > > User Name   :   alice
> > > ...
> > > Password last set Time   :      Tue, 01 Aug 2017 17:50:08 CEST
> > > Password must change Time:      Tue, 12 Sep 2017 17:50:08 CEST
> > >
> > >
> > > The must change time is 41 days away and not 4 days as set!
> > >
> > >
> > > Either the test python/samba/tests/samba_tool/user.py does not work
> > > as it should, or there is a bug in the rpc server.
> >
> > Hi Andreas, I think you are getting a bit mixed up here, account expiry
> > has nothing to do with the password.
>
> Damn, how do you change the password expiration?
Check the attached patch, that irritated me.


        Andreas

--
Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             [hidden email]
www.samba.org

0001-pyton-samba-Fix-help-of-samba-tool-user-setexpiry.patch.txt (1K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: samba-tool user setexpiry is broken in 4.7

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list
On Wed, 02 Aug 2017 07:46:40 +0200
Andreas Schneider <[hidden email]> wrote:

> On Tuesday, 1 August 2017 19:14:02 CEST Rowland Penny wrote:
> > On Tue, 01 Aug 2017 18:07:52 +0200
> > Andreas Schneider via samba-technical
> > <[hidden email]>
> >
> > wrote:
> > > Hi,
> > >
> > > The command 'samba-tool user setexpiry' doesn't work!
> > >
> > > Reproducer:
> > >
> > > make testenv SELFTEST_TESTENV=ad_member
> > >
> > > $ bin/samba-tool user setexpiry alice --days=4 --URL=ldap://
> > > localdc.samba.example.com --username=administrator
> > > --password=locDCpass1 Expiry for user 'alice' set to 4 days.
> > >
> > > $ bin/wbinfo --name-to-sid alice
> > > S-1-5-21-1321629873-2603511802-1948877269-1105 SID_USER (1)
> > >
> > > $ bin/rpcclient ncacn_np:localdc -UAdministrator%locDCpass1 -c
> > > "queryuser 1105"
> > > User Name   :   alice
> > > ...
> > > Password last set Time   :      Tue, 01 Aug 2017 17:50:08 CEST
> > > Password must change Time:      Tue, 12 Sep 2017 17:50:08 CEST
> > >
> > >
> > > The must change time is 41 days away and not 4 days as set!
> > >
> > >
> > > Either the test python/samba/tests/samba_tool/user.py does not
> > > work as it should, or there is a bug in the rpc server.
> >
> > Hi Andreas, I think you are getting a bit mixed up here, account
> > expiry has nothing to do with the password.
>
> Damn, how do you change the password expiration?
>

I don't think you can do this for an individual user. As far as I am
aware, it is an interaction between the users pwdLastSet attribute and
the domain maxPwdAge attribute.

Rowland

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: samba-tool user setexpiry is broken in 4.7

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list
On Wed, 02 Aug 2017 08:27:20 +0200
Andreas Schneider <[hidden email]> wrote:

> On Wednesday, 2 August 2017 07:46:40 CEST Andreas Schneider via samba-
> technical wrote:
> > On Tuesday, 1 August 2017 19:14:02 CEST Rowland Penny wrote:
> > > On Tue, 01 Aug 2017 18:07:52 +0200
> > > Andreas Schneider via samba-technical
> > > <[hidden email]>
> > >
> > > wrote:
> > > > Hi,
> > > >
> > > > The command 'samba-tool user setexpiry' doesn't work!
> > > >
> > > > Reproducer:
> > > >
> > > > make testenv SELFTEST_TESTENV=ad_member
> > > >
> > > > $ bin/samba-tool user setexpiry alice --days=4 --URL=ldap://
> > > > localdc.samba.example.com --username=administrator
> > > > --password=locDCpass1 Expiry for user 'alice' set to 4 days.
> > > >
> > > > $ bin/wbinfo --name-to-sid alice
> > > > S-1-5-21-1321629873-2603511802-1948877269-1105 SID_USER (1)
> > > >
> > > > $ bin/rpcclient ncacn_np:localdc -UAdministrator%locDCpass1 -c
> > > > "queryuser 1105"
> > > > User Name   :   alice
> > > > ...
> > > > Password last set Time   :      Tue, 01 Aug 2017 17:50:08 CEST
> > > > Password must change Time:      Tue, 12 Sep 2017 17:50:08 CEST
> > > >
> > > >
> > > > The must change time is 41 days away and not 4 days as set!
> > > >
> > > >
> > > > Either the test python/samba/tests/samba_tool/user.py does not
> > > > work as it should, or there is a bug in the rpc server.
> > >
> > > Hi Andreas, I think you are getting a bit mixed up here, account
> > > expiry has nothing to do with the password.
> >
> > Damn, how do you change the password expiration?
>
> Check the attached patch, that irritated me.
>
>
> Andreas
>

Better English for 'Account does never expire' would be 'Account will
never expire'

Rowland

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: samba-tool user setexpiry is broken in 4.7

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list
On Wed, 2017-08-02 at 07:31 +0100, Rowland Penny via samba-technical
wrote:
>
> I don't think you can do this for an individual user. As far as I am
> aware, it is an interaction between the users pwdLastSet attribute and
> the domain maxPwdAge attribute.
>

Rowland, this is correct.

The long-term fix is PSO support.  

https://technet.microsoft.com/en-us/library/cc754461(v=ws.10).aspx

Andrew Bartlett

--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: samba-tool user setexpiry is broken in 4.7

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list
On Wed, 2017-08-02 at 08:27 +0200, Andreas Schneider via samba-
technical wrote:

> On Wednesday, 2 August 2017 07:46:40 CEST Andreas Schneider via samba-
> technical wrote:
> > On Tuesday, 1 August 2017 19:14:02 CEST Rowland Penny wrote:
> > > On Tue, 01 Aug 2017 18:07:52 +0200
> > > Andreas Schneider via samba-technical <[hidden email]>
> > >
> > > wrote:
> > > > Hi,
> > > >
> > > > The command 'samba-tool user setexpiry' doesn't work!
> > > >
> > > > Reproducer:
> > > >
> > > > make testenv SELFTEST_TESTENV=ad_member
> > > >
> > > > $ bin/samba-tool user setexpiry alice --days=4 --URL=ldap://
> > > > localdc.samba.example.com --username=administrator
> > > > --password=locDCpass1 Expiry for user 'alice' set to 4 days.
> > > >
> > > > $ bin/wbinfo --name-to-sid alice
> > > > S-1-5-21-1321629873-2603511802-1948877269-1105 SID_USER (1)
> > > >
> > > > $ bin/rpcclient ncacn_np:localdc -UAdministrator%locDCpass1 -c
> > > > "queryuser 1105"
> > > > User Name   :   alice
> > > > ...
> > > > Password last set Time   :      Tue, 01 Aug 2017 17:50:08 CEST
> > > > Password must change Time:      Tue, 12 Sep 2017 17:50:08 CEST
> > > >
> > > >
> > > > The must change time is 41 days away and not 4 days as set!
> > > >
> > > >
> > > > Either the test python/samba/tests/samba_tool/user.py does not work
> > > > as it should, or there is a bug in the rpc server.
> > >
> > > Hi Andreas, I think you are getting a bit mixed up here, account expiry
> > > has nothing to do with the password.
> >
> > Damn, how do you change the password expiration?
>
> Check the attached patch, that irritated me.

I'm not sure that is correct.  I think the tool is just horribly
confused, mixing the different expiry in the same command.

That option appears to control UF_DONT_EXPIRE_PASSWD, which is per-
user.

Sorry,

Andrew Bartlett
--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: samba-tool user setexpiry is broken in 4.7

Samba - samba-technical mailing list
On Wednesday, 2 August 2017 08:56:11 CEST Andrew Bartlett via samba-technical
wrote:

> On Wed, 2017-08-02 at 08:27 +0200, Andreas Schneider via samba-
>
> technical wrote:
> > On Wednesday, 2 August 2017 07:46:40 CEST Andreas Schneider via samba-
> >
> > technical wrote:
> > > On Tuesday, 1 August 2017 19:14:02 CEST Rowland Penny wrote:
> > > > On Tue, 01 Aug 2017 18:07:52 +0200
> > > > Andreas Schneider via samba-technical
> > > > <[hidden email]>
> > > >
> > > > wrote:
> > > > > Hi,
> > > > >
> > > > > The command 'samba-tool user setexpiry' doesn't work!
> > > > >
> > > > > Reproducer:
> > > > >
> > > > > make testenv SELFTEST_TESTENV=ad_member
> > > > >
> > > > > $ bin/samba-tool user setexpiry alice --days=4 --URL=ldap://
> > > > > localdc.samba.example.com --username=administrator
> > > > > --password=locDCpass1 Expiry for user 'alice' set to 4 days.
> > > > >
> > > > > $ bin/wbinfo --name-to-sid alice
> > > > > S-1-5-21-1321629873-2603511802-1948877269-1105 SID_USER (1)
> > > > >
> > > > > $ bin/rpcclient ncacn_np:localdc -UAdministrator%locDCpass1 -c
> > > > > "queryuser 1105"
> > > > > User Name   :   alice
> > > > > ...
> > > > > Password last set Time   :      Tue, 01 Aug 2017 17:50:08 CEST
> > > > > Password must change Time:      Tue, 12 Sep 2017 17:50:08 CEST
> > > > >
> > > > >
> > > > > The must change time is 41 days away and not 4 days as set!
> > > > >
> > > > >
> > > > > Either the test python/samba/tests/samba_tool/user.py does not work
> > > > > as it should, or there is a bug in the rpc server.
> > > >
> > > > Hi Andreas, I think you are getting a bit mixed up here, account
> > > > expiry
> > > > has nothing to do with the password.
> > >
> > > Damn, how do you change the password expiration?
> >
> > Check the attached patch, that irritated me.
>
> I'm not sure that is correct.  I think the tool is just horribly
> confused, mixing the different expiry in the same command.
>
> That option appears to control UF_DONT_EXPIRE_PASSWD, which is per-
> user.
>
> Sorry,
>
> Andrew Bartlett

Then I think it should be move to setpassword.


        Andreas


--
Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             [hidden email]
www.samba.org

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: samba-tool user setexpiry is broken in 4.7

Samba - samba-technical mailing list
In windows AD you can set different group policies where you change
the maxPwdAge for users. I'm curious if the same steps work in samba AD.
Let me dig up my experiment.

On Wed, Aug 2, 2017 at 1:12 AM, Andreas Schneider via samba-technical <
[hidden email]> wrote:

> On Wednesday, 2 August 2017 08:56:11 CEST Andrew Bartlett via
> samba-technical
> wrote:
> > On Wed, 2017-08-02 at 08:27 +0200, Andreas Schneider via samba-
> >
> > technical wrote:
> > > On Wednesday, 2 August 2017 07:46:40 CEST Andreas Schneider via samba-
> > >
> > > technical wrote:
> > > > On Tuesday, 1 August 2017 19:14:02 CEST Rowland Penny wrote:
> > > > > On Tue, 01 Aug 2017 18:07:52 +0200
> > > > > Andreas Schneider via samba-technical
> > > > > <[hidden email]>
> > > > >
> > > > > wrote:
> > > > > > Hi,
> > > > > >
> > > > > > The command 'samba-tool user setexpiry' doesn't work!
> > > > > >
> > > > > > Reproducer:
> > > > > >
> > > > > > make testenv SELFTEST_TESTENV=ad_member
> > > > > >
> > > > > > $ bin/samba-tool user setexpiry alice --days=4 --URL=ldap://
> > > > > > localdc.samba.example.com --username=administrator
> > > > > > --password=locDCpass1 Expiry for user 'alice' set to 4 days.
> > > > > >
> > > > > > $ bin/wbinfo --name-to-sid alice
> > > > > > S-1-5-21-1321629873-2603511802-1948877269-1105 SID_USER (1)
> > > > > >
> > > > > > $ bin/rpcclient ncacn_np:localdc -UAdministrator%locDCpass1 -c
> > > > > > "queryuser 1105"
> > > > > > User Name   :   alice
> > > > > > ...
> > > > > > Password last set Time   :      Tue, 01 Aug 2017 17:50:08 CEST
> > > > > > Password must change Time:      Tue, 12 Sep 2017 17:50:08 CEST
> > > > > >
> > > > > >
> > > > > > The must change time is 41 days away and not 4 days as set!
> > > > > >
> > > > > >
> > > > > > Either the test python/samba/tests/samba_tool/user.py does not
> work
> > > > > > as it should, or there is a bug in the rpc server.
> > > > >
> > > > > Hi Andreas, I think you are getting a bit mixed up here, account
> > > > > expiry
> > > > > has nothing to do with the password.
> > > >
> > > > Damn, how do you change the password expiration?
> > >
> > > Check the attached patch, that irritated me.
> >
> > I'm not sure that is correct.  I think the tool is just horribly
> > confused, mixing the different expiry in the same command.
> >
> > That option appears to control UF_DONT_EXPIRE_PASSWD, which is per-
> > user.
> >
> > Sorry,
> >
> > Andrew Bartlett
>
> Then I think it should be move to setpassword.
>
>
>         Andreas
>
>
> --
> Andreas Schneider                   GPG-ID: CC014E3D
> Samba Team                             [hidden email]
> www.samba.org
>
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: samba-tool user setexpiry is broken in 4.7

Samba - samba-technical mailing list
On Wednesday, 9 August 2017 16:48:34 CEST Jeff Sadowski wrote:
> In windows AD you can set different group policies where you change
> the maxPwdAge for users. I'm curious if the same steps work in samba AD.
> Let me dig up my experiment.

We do not support FGPP.

--
Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             [hidden email]
www.samba.org

Loading...