LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices



Reply
 
Search this Thread
Old 11-30-2009, 10:36 PM   #1
Aghast
LQ Newbie
 
Registered: Nov 2009
Posts: 7

Rep: Reputation: 1
[SOLVED] Samba Ldap smbldap-tools password expired


Greetings. I have a problem with password expiration problem i cannot handle myself, so i wrote in this forum.
Recently i discovered that a newly created samba account has already expired password.

Code:
smbldap-useradd -a -d /home/tommy -G education -s /bin/bash -M tommy -c "Tommy T." tommy
smbldap-passwd tommy
Code:
getent shadow
user:*:::::::0
user2:*:::::::0
user3:*:::365::::0
tommy:*:::365::::0
Code:
su tommy
pam_mount password:
Password aged
Enter login(LDAP) password:
auth.log
Code:
/dev/pts/5 user:tommy
Nov 26 16:47:34 it-chief su[5638]: pam_unix(su:auth): authentication failure; logname= uid=1001 euid=0 tty=/dev/pts/5 ruser=user rhost=  user=tommy
Nov 26 16:47:34 it-chief su[5638]: pam_unix(su:account): expired password for user tommy (password aged)
Nov 26 16:47:34 it-chief su[5638]: pam_unix(su:chauthtok): user "tommy" does not exist in /etc/passwd
Nov 26 16:48:12 it-chief su[5638]: pam_chauthtok: Authentication token manipulation error
Nov 26 16:48:12 it-chief su[5638]: FAILED su for tommy by user
smb.conf
Code:
[global]
 workgroup = WORKGROUP
 server string = %h server
;   wins server = w.x.y.z
 dns proxy = no
;   name resolve order = lmhosts host wins bcast
;   interfaces = 127.0.0.0/8 eth0
;   bind interfaces only = yes
 log file = /var/log/samba/log.%m
 max log size = 1000
 syslog only = yes
 syslog = 0
 panic action = /usr/share/samba/panic-action %d
log level = 3 vfs:2
 security = user
 encrypt passwords = true
 obey pam restrictions = no
; unix password sync = no
ldap passwd sync = yes
passwd program = /usr/sbin/smbldap-passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated
 pam password change = no
passdb backend = ldapsam:ldap://auth.workgroup
ldap ssl = no
ldap admin dn = cn=admin,dc=workgroup
ldap suffix = dc=workgroup
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Users
unix extensions = no
;   domain logons = yes
;   logon path = \\%N\profiles\%U
;   logon drive = H:
;   logon script = logon.cmd
add user script = /usr/sbin/smbldap-useradd -m "%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
ldap delete dn = yes
delete user script = /usr/sbin/smbldap-userdel "%u"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
smbldap.conf
Code:
SID="S-1-5-21-482339686-3080510186-2817641028"
sambaDomain="WORKGROUP"
slaveLDAP="auth.workgroup"
slavePort="389"
masterLDAP="auth.workgroup"
masterPort="389"
ldapTLS="0"
verify="none"
suffix="dc=workgroup"
usersdn="ou=Users,${suffix}"
computersdn="ou=Computers,${suffix}"
groupsdn="ou=Groups,${suffix}"
idmapdn="ou=Users,${suffix}"
sambaUnixIdPooldn="sambaDomainName=WORKGROUP,${suffix}"
scope="sub"
hash_encrypt="SSHA"
crypt_salt_format="%s"
userLoginShell="/bin/bash"
userHome="/home/%U"
userHomeDirectoryMode="700"
userGecos="System User"
defaultUserGid="513"
defaultComputerGid="515"
skeletonDir="/etc/skel"
defaultMaxPasswordAge="365"
userSmbHome="\\NAS\%U"
userProfile="\\NAS\profiles\%U"
userHomeDrive="H:"
userScript="%U.cmd"
mailDomain="workgroup"
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"

slapd.conf
Code:
include        /etc/ldap/schema/core.schema
include        /etc/ldap/schema/cosine.schema
include        /etc/ldap/schema/inetorgperson.schema
include        /etc/ldap/schema/misc.schema
include        /etc/ldap/schema/nis.schema
include        /etc/ldap/schema/samba.schema
pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd/slapd.args
loglevel        256
modulepath    /usr/lib/ldap
moduleload    back_bdb
sizelimit 500
tool-threads 1
backend        bdb
database        bdb
suffix          "dc=workgroup"
directory       "/var/lib/ldap"
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
index    objectClass                eq
index    cn                    pres,sub,eq
index    sn                    pres,sub,eq
index    uid                    pres,sub,eq
index    displayName                pres,sub,eq
index    default                    sub
index    uidNumber                eq
index    gidNumber                eq
index    mail,givenName                eq,subinitial
index    dc                    eq
index    memberUid                eq
index    sambaSID                eq
index    sambaPrimaryGroupSID            eq
index    sambaDomainName                eq
index    sambaGroupType                eq
index    sambaSIDList                eq
index    uniqueMember                eq
lastmod         on
checkpoint      512 30
access to attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword
  by dn="cn=admin,dc=workgroup" write
  by anonymous auth
  by self write
  by * none

access to dn.base="" by * read

access to *
      by dn="cn=admin,dc=workgroup" write
      by * read
Code:
smbldap-usershow tommy
dn: uid=tommy,ou=Users,dc=workgroup
objectClass: top,person,organizationalPerson,inetOrgPerson,posixAccount,shadowAccount,sambaSamAccount,inetLocalMailRecipient
cn: tommy
sn: tommy
givenName: tommy
uid: tommy
uidNumber: 1099
gidNumber: 513
homeDirectory: /home/tommy
loginShell: /bin/bash
gecos: T. Tommy
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
displayName: tommy
sambaSID: S-1-5-21-482339686-3080510186-2817641028-3198
sambaLogonScript: tommy.cmd
sambaProfilePath: \\NAS\profiles\tommy
sambaHomePath: \\NAS\tommy
sambaPrimaryGroupSID: S-1-5-21-482339686-3080510186-2817641028-513
sambaHomeDrive: H:
mailLocalAddress: tommy
mail: tommy@workgroup
sambaLMPassword: CCF9155E3E7DB453AAD3B435B51404EE
sambaAcctFlags: [U]
sambaNTPassword: 3DBDE697D71690A769204BEB12283678
sambaPwdLastSet: 1259217976
sambaPwdMustChange: 1290753976
userPassword: {SSHA}baNet7XxM3EaPORUnwRCYNSXTlF0cE5z
shadowLastChange: 14574
shadowMax: 365
samba machine.log
Code:
[2009/12/01 14:37:09,  3] smbd/sec_ctx.c:set_sec_ctx(324)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/12/01 14:37:09,  5] auth/token_util.c:debug_nt_user_token(464)
  NT user token: (NULL)
[2009/12/01 14:37:09,  5] auth/token_util.c:debug_unix_user_token(490)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2009/12/01 14:37:09,  5] smbd/uid.c:change_to_root_user(287)
  change_to_root_user: now uid=(0,0) gid=(0,0)
[2009/12/01 14:37:09,  3] smbd/process.c:check_reload(1906)
  Printcap cache time expired.
Code:
smbd --version
Version 3.2.5
Code:
uname -a
Linux nas 2.6.26-2-686 #1 SMP Wed Nov 4 20:45:37 UTC 2009 i686 GNU/Linux
Code:
slapd -V
@(#) $OpenLDAP: slapd 2.4.11 (Oct 12 2008 04:13:21) $
  buildd@ninsei:/build/buildd/openldap-2.4.11/debian/build/servers/slapd
Pulling my hairs out. Thanks in advance.

Last edited by Aghast; 12-23-2009 at 10:59 PM.
 
Old 12-01-2009, 12:52 AM   #2
Aghast
LQ Newbie
 
Registered: Nov 2009
Posts: 7

Original Poster
Rep: Reputation: 1
I've changed this in slapd.conf
Code:
#access to attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword
access to attrs=userPassword,sambaNTPassword,sambaLMPassword
getent shadow now shows:

Code:
user:*:::::::0
user2:*:::::::0
tommy:*:14579::365::::0
And this way i've managed to login as user tommy. Is "shadowLastChange" attribute has to be aslo updated as well?
 
Old 12-03-2009, 05:44 PM   #3
Aghast
LQ Newbie
 
Registered: Nov 2009
Posts: 7

Original Poster
Rep: Reputation: 1
Still stuck.
 
Old 12-15-2009, 01:17 PM   #4
klabacita
Member
 
Registered: Dec 2009
Posts: 32

Rep: Reputation: 16
Question

Hi Aghast.

I have the same issue, but here my users doesn't need to access my linux servers, they just run windows+mail, the shell is /sbin/nologin.

U are right everytime I add a new user, I found that it has his "shadowExpire=0" and dovecot every time I try to login it let me know that the account is "expire"

smbldap-usershow almacen.mbx
dn: uid=almacen.mbx,ou=Users,dc=XXX,dc=com
shadowFlag: 134538308
shadowMin: -1
displayName: Mueblex Almacen
uid: almacen.mbx
shadowInactive: -1
uidNumber: 10016
gidNumber: 513
shadowWarning: 7
homeDirectory: /home/almacen.mbx
shadowExpire: 0
cn: Mueblex Almacen
loginShell: /bin/bash
telephoneNumber: 250
mail: almacen.mbx@XXX.com
sn: Almacen
givenName: Mueblex
gecos: Mueblex Almacen
objectClass: inetOrgPerson,posixAccount,shadowAccount,top,person,mailAccount
mailbox: /home/almacen.mbx/Maildir/
mailuserquota: 0
maildrop: almacen.mbx
mailenable: OK
userPassword: {CRYPT}wX3csUOD1Eao6
shadowLastChange: 14581
shadowMax: 9999

I have to manually change that parameter:

smbldap-usermod --shadowExpire="1024" username

This is with all the new users I create, even I had migrate one server and the same issue I have.

Did u fix this issue?
Exist a way to setup this values by default every time we create a user?

shadowExpire='1024'

I use mandriva MMC to manage my domain.

Thanks.

Centos 5.4 openldap, samba && smbldap-tools from repos.
 
Old 12-17-2009, 08:05 PM   #5
Aghast
LQ Newbie
 
Registered: Nov 2009
Posts: 7

Original Poster
Rep: Reputation: 1
Thanks for you answer. I have found that if i allow a user to write into these attributes in slapd.conf

Code:
access to attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword
	by dn="cn=admin,dc=workgroup" write
	by anonymous write
	by self write
	by * write
then shadowAccount and shadowExpire in ldap are correctly updated. Now i have to find out what's wrong.

Last edited by Aghast; 12-18-2009 at 12:35 AM.
 
Old 12-18-2009, 12:33 AM   #6
Aghast
LQ Newbie
 
Registered: Nov 2009
Posts: 7

Original Poster
Rep: Reputation: 1
If i set rights for access as they should be
Code:
access to attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword
	by dn="cn=admin,dc=workgroup" write
	by anonymous auth
	by self write
	by * none
then my slapd log shows when smbpldap-passwd tommy like everything is fine
Code:
Dec 18 15:22:47 ns slapd[12250]: conn=3615 fd=74 ACCEPT from IP=192.168.1.11:54447 (IP=0.0.0.0:389)
Dec 18 15:22:47 ns slapd[12250]: conn=3615 op=0 BIND dn="cn=admin,dc=workgroup" method=128
Dec 18 15:22:47 ns slapd[12250]: conn=3615 op=0 BIND dn="cn=admin,dc=workgroup" mech=SIMPLE ssf=0
Dec 18 15:22:47 ns slapd[12250]: conn=3615 op=0 RESULT tag=97 err=0 text=
Dec 18 15:22:47 ns slapd[12250]: conn=3615 op=1 SRCH base="dc=workgroup" scope=2 deref=2 filter="(&(objectClass=posixAccount)(uid=tommy))"
Dec 18 15:22:47 ns slapd[12250]: conn=3615 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Dec 18 15:22:47 ns slapd[12250]: conn=3615 op=2 SRCH base="dc=workgroup" scope=2 deref=2 filter="(&(objectClass=sambaSamAccount)(uid=tommy))"
Dec 18 15:22:47 ns slapd[12250]: conn=3615 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
Dec 18 15:22:49 ns slapd[12250]: conn=3615 op=3 MOD dn="uid=tommy,ou=Users,dc=workgroup"
Dec 18 15:22:49 ns slapd[12250]: conn=3615 op=3 MOD attr=sambaLMPassword sambaAcctFlags sambaNTPassword sambaPwdLastSet sambaPwdMustChange
Dec 18 15:22:49 ns slapd[12250]: conn=3615 op=3 RESULT tag=103 err=0 text=
Dec 18 15:22:49 ns slapd[12250]: conn=3615 op=4 MOD dn="uid=tommy,ou=Users,dc=workgroup"
Dec 18 15:22:49 ns slapd[12250]: conn=3615 op=4 MOD attr=userPassword shadowLastChange shadowMax
Dec 18 15:22:49 ns slapd[12250]: conn=3615 op=4 RESULT tag=103 err=0 text=
Dec 18 15:22:49 ns slapd[12250]: conn=3615 op=5 UNBIND
Dec 18 15:22:49 ns slapd[12250]: conn=3615 fd=74 closed
But when i try to log in as tommy my password is expired. So i need somehow to write in
Code:
userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword
by
Code:
dn="uid=tommy,ou=Users,dc=workgroup"

Last edited by Aghast; 12-18-2009 at 12:36 AM.
 
Old 12-23-2009, 10:58 PM   #7
Aghast
LQ Newbie
 
Registered: Nov 2009
Posts: 7

Original Poster
Rep: Reputation: 1
Changed a little slapd.conf
Code:
access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdMustChange,sambaPwdLastSet
	by dn="cn=admin,dc=workgroup" write
	by self write
	by anonymous auth
	by * none

access to attrs=shadowLastChange,shadowMax
	by dn="cn=admin,dc=workgroup" write
	by self write
	by * read
It is now works as it should be.
 
Old 12-28-2009, 02:43 AM   #8
klabacita
Member
 
Registered: Dec 2009
Posts: 32

Rep: Reputation: 16
Smile

Hey Aghast.

I seen that u are not running RedHat/Centos but have the same behavior, I have seen that my issue is went I add a email account to our server, If I add a user or machine account I don't have issues.

My issue is went I add a email account, by looks like the issue is not samba or smbldap-tools, I'm using mandriva mds.

I already ask to the forum, just waiting the answer.

Thanks.

Centos 5.4/openldap 2.3.x/samba 3.0.33.
 
Old 12-29-2009, 02:04 AM   #9
Aghast
LQ Newbie
 
Registered: Nov 2009
Posts: 7

Original Poster
Rep: Reputation: 1
klabacita, i don't know if it would help, but you may try to set a policy for maximum password age with pdbedit.
Code:
pdbedit -P "maximum password age" -C 1024
 
Old 12-30-2009, 05:37 PM   #10
klabacita
Member
 
Registered: Dec 2009
Posts: 32

Rep: Reputation: 16
Thumbs up

Appreciated your tip Aghast.

The only small thing is that I have to this each time I add a email account, is a extra step I have to make.

Before this was working normally, but something chanhge with mandriva mds or something else.

But thanks for your help and tips my friend.
 
Old 02-25-2010, 12:16 AM   #11
klabacita
Member
 
Registered: Dec 2009
Posts: 32

Rep: Reputation: 16
Hi Aghast, is me again.

Finally the people from mds answer my email, this option is enable by default on MDS, it wasn't a samba ldap thing, I knew that was mds settings, they told me to add this setting inside base.ini from mds and restart the service:

[userdefault]
shadowExpire = DELETE

Fix works.

Thanks!!!
 
  


Reply

Tags
ldap, password, samba


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SMBLDAP-TOOLS SAMBA LDAP . Problem when filling ldap. jcdole Linux - Server 0 06-07-2008 12:41 PM
Samba, LDAP, LAM & SMBLDAP-TOOL Understanding metallica1973 Linux - Networking 0 12-15-2006 04:14 PM
Where do I get 'smbldap-tools'? adlib69 Suse/Novell 1 12-08-2006 01:45 PM
Help, smbldap-tools error Neruocomp Linux - Software 0 05-22-2006 11:12 AM
Samba 3.0 with LDAP smbldap tools not working melk600 Linux - Networking 0 11-19-2003 02:34 PM


All times are GMT -5. The time now is 10:47 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration