Samba Ldap smbldap-tools password expired

Aghast · 11-30-2009, 09:36 PM

Greetings. I have a problem with password expiration problem i cannot handle myself, so i wrote in this forum.
Recently i discovered that a newly created samba account has already expired password.

Code:

smbldap-useradd -a -d /home/tommy -G education -s /bin/bash -M tommy -c "Tommy T." tommy
smbldap-passwd tommy

Code:

getent shadow
user:*:::::::0
user2:*:::::::0
user3:*:::365::::0
tommy:*:::365::::0

Code:

su tommy
pam_mount password:
Password aged
Enter login(LDAP) password:

auth.log

Code:

/dev/pts/5 user:tommy
Nov 26 16:47:34 it-chief su[5638]: pam_unix(su:auth): authentication failure; logname= uid=1001 euid=0 tty=/dev/pts/5 ruser=user rhost=  user=tommy
Nov 26 16:47:34 it-chief su[5638]: pam_unix(su:account): expired password for user tommy (password aged)
Nov 26 16:47:34 it-chief su[5638]: pam_unix(su:chauthtok): user "tommy" does not exist in /etc/passwd
Nov 26 16:48:12 it-chief su[5638]: pam_chauthtok: Authentication token manipulation error
Nov 26 16:48:12 it-chief su[5638]: FAILED su for tommy by user

smb.conf

Code:

[global]
 workgroup = WORKGROUP
 server string = %h server
;   wins server = w.x.y.z
 dns proxy = no
;   name resolve order = lmhosts host wins bcast
;   interfaces = 127.0.0.0/8 eth0
;   bind interfaces only = yes
 log file = /var/log/samba/log.%m
 max log size = 1000
 syslog only = yes
 syslog = 0
 panic action = /usr/share/samba/panic-action %d
log level = 3 vfs:2
 security = user
 encrypt passwords = true
 obey pam restrictions = no
; unix password sync = no
ldap passwd sync = yes
passwd program = /usr/sbin/smbldap-passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated
 pam password change = no
passdb backend = ldapsam:ldap://auth.workgroup
ldap ssl = no
ldap admin dn = cn=admin,dc=workgroup
ldap suffix = dc=workgroup
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Users
unix extensions = no
;   domain logons = yes
;   logon path = \\%N\profiles\%U
;   logon drive = H:
;   logon script = logon.cmd
add user script = /usr/sbin/smbldap-useradd -m "%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
ldap delete dn = yes
delete user script = /usr/sbin/smbldap-userdel "%u"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"

smbldap.conf

Code:

SID="S-1-5-21-482339686-3080510186-2817641028"
sambaDomain="WORKGROUP"
slaveLDAP="auth.workgroup"
slavePort="389"
masterLDAP="auth.workgroup"
masterPort="389"
ldapTLS="0"
verify="none"
suffix="dc=workgroup"
usersdn="ou=Users,${suffix}"
computersdn="ou=Computers,${suffix}"
groupsdn="ou=Groups,${suffix}"
idmapdn="ou=Users,${suffix}"
sambaUnixIdPooldn="sambaDomainName=WORKGROUP,${suffix}"
scope="sub"
hash_encrypt="SSHA"
crypt_salt_format="%s"
userLoginShell="/bin/bash"
userHome="/home/%U"
userHomeDirectoryMode="700"
userGecos="System User"
defaultUserGid="513"
defaultComputerGid="515"
skeletonDir="/etc/skel"
defaultMaxPasswordAge="365"
userSmbHome="\\NAS\%U"
userProfile="\\NAS\profiles\%U"
userHomeDrive="H:"
userScript="%U.cmd"
mailDomain="workgroup"
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"

slapd.conf

Code:

include        /etc/ldap/schema/core.schema
include        /etc/ldap/schema/cosine.schema
include        /etc/ldap/schema/inetorgperson.schema
include        /etc/ldap/schema/misc.schema
include        /etc/ldap/schema/nis.schema
include        /etc/ldap/schema/samba.schema
pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd/slapd.args
loglevel        256
modulepath    /usr/lib/ldap
moduleload    back_bdb
sizelimit 500
tool-threads 1
backend        bdb
database        bdb
suffix          "dc=workgroup"
directory       "/var/lib/ldap"
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
index    objectClass                eq
index    cn                    pres,sub,eq
index    sn                    pres,sub,eq
index    uid                    pres,sub,eq
index    displayName                pres,sub,eq
index    default                    sub
index    uidNumber                eq
index    gidNumber                eq
index    mail,givenName                eq,subinitial
index    dc                    eq
index    memberUid                eq
index    sambaSID                eq
index    sambaPrimaryGroupSID            eq
index    sambaDomainName                eq
index    sambaGroupType                eq
index    sambaSIDList                eq
index    uniqueMember                eq
lastmod         on
checkpoint      512 30
access to attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword
  by dn="cn=admin,dc=workgroup" write
  by anonymous auth
  by self write
  by * none

access to dn.base="" by * read

access to *
      by dn="cn=admin,dc=workgroup" write
      by * read

Code:

smbldap-usershow tommy
dn: uid=tommy,ou=Users,dc=workgroup
objectClass: top,person,organizationalPerson,inetOrgPerson,posixAccount,shadowAccount,sambaSamAccount,inetLocalMailRecipient
cn: tommy
sn: tommy
givenName: tommy
uid: tommy
uidNumber: 1099
gidNumber: 513
homeDirectory: /home/tommy
loginShell: /bin/bash
gecos: T. Tommy
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
displayName: tommy
sambaSID: S-1-5-21-482339686-3080510186-2817641028-3198
sambaLogonScript: tommy.cmd
sambaProfilePath: \\NAS\profiles\tommy
sambaHomePath: \\NAS\tommy
sambaPrimaryGroupSID: S-1-5-21-482339686-3080510186-2817641028-513
sambaHomeDrive: H:
mailLocalAddress: tommy
mail: tommy@workgroup
sambaLMPassword: CCF9155E3E7DB453AAD3B435B51404EE
sambaAcctFlags: [U]
sambaNTPassword: 3DBDE697D71690A769204BEB12283678
sambaPwdLastSet: 1259217976
sambaPwdMustChange: 1290753976
userPassword: {SSHA}baNet7XxM3EaPORUnwRCYNSXTlF0cE5z
shadowLastChange: 14574
shadowMax: 365

samba machine.log

Code:

[2009/12/01 14:37:09,  3] smbd/sec_ctx.c:set_sec_ctx(324)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/12/01 14:37:09,  5] auth/token_util.c:debug_nt_user_token(464)
  NT user token: (NULL)
[2009/12/01 14:37:09,  5] auth/token_util.c:debug_unix_user_token(490)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2009/12/01 14:37:09,  5] smbd/uid.c:change_to_root_user(287)
  change_to_root_user: now uid=(0,0) gid=(0,0)
[2009/12/01 14:37:09,  3] smbd/process.c:check_reload(1906)
  Printcap cache time expired.

Code:

smbd --version
Version 3.2.5

Code:

uname -a
Linux nas 2.6.26-2-686 #1 SMP Wed Nov 4 20:45:37 UTC 2009 i686 GNU/Linux

Code:

slapd -V
@(#) $OpenLDAP: slapd 2.4.11 (Oct 12 2008 04:13:21) $
  buildd@ninsei:/build/buildd/openldap-2.4.11/debian/build/servers/slapd

Pulling my hairs out. Thanks in advance.

Aghast · 11-30-2009, 11:52 PM

I've changed this in slapd.conf

Code:

#access to attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword
access to attrs=userPassword,sambaNTPassword,sambaLMPassword

getent shadow now shows:

Code:

user:*:::::::0
user2:*:::::::0
tommy:*:14579::365::::0

And this way i've managed to login as user tommy. Is "shadowLastChange" attribute has to be aslo updated as well?

Aghast · 12-03-2009, 04:44 PM

Still stuck.

klabacita · 12-15-2009, 12:17 PM

Hi Aghast.

I have the same issue, but here my users doesn't need to access my linux servers, they just run windows+mail, the shell is /sbin/nologin.

U are right everytime I add a new user, I found that it has his "shadowExpire=0" and dovecot every time I try to login it let me know that the account is "expire"

smbldap-usershow almacen.mbx
dn: uid=almacen.mbx,ou=Users,dc=XXX,dc=com
shadowFlag: 134538308
shadowMin: -1
displayName: Mueblex Almacen
uid: almacen.mbx
shadowInactive: -1
uidNumber: 10016
gidNumber: 513
shadowWarning: 7
homeDirectory: /home/almacen.mbx
shadowExpire: 0
cn: Mueblex Almacen
loginShell: /bin/bash
telephoneNumber: 250
mail: almacen.mbx@XXX.com
sn: Almacen
givenName: Mueblex
gecos: Mueblex Almacen
objectClass: inetOrgPerson,posixAccount,shadowAccount,top,person,mailAccount
mailbox: /home/almacen.mbx/Maildir/
mailuserquota: 0
maildrop: almacen.mbx
mailenable: OK
userPassword: {CRYPT}wX3csUOD1Eao6
shadowLastChange: 14581
shadowMax: 9999

I have to manually change that parameter:

smbldap-usermod --shadowExpire="1024" username

This is with all the new users I create, even I had migrate one server and the same issue I have.

Did u fix this issue?
Exist a way to setup this values by default every time we create a user?

shadowExpire='1024'

I use mandriva MMC to manage my domain.

Thanks.

Centos 5.4 openldap, samba && smbldap-tools from repos.

Aghast · 12-17-2009, 07:05 PM

Thanks for you answer. I have found that if i allow a user to write into these attributes in slapd.conf

Code:

access to attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword
	by dn="cn=admin,dc=workgroup" write
	by anonymous write
	by self write
	by * write

then shadowAccount and shadowExpire in ldap are correctly updated. Now i have to find out what's wrong.

Aghast · 12-17-2009, 11:33 PM

If i set rights for access as they should be

Code:

access to attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword
	by dn="cn=admin,dc=workgroup" write
	by anonymous auth
	by self write
	by * none

then my slapd log shows when smbpldap-passwd tommy like everything is fine

Code:

Dec 18 15:22:47 ns slapd[12250]: conn=3615 fd=74 ACCEPT from IP=192.168.1.11:54447 (IP=0.0.0.0:389)
Dec 18 15:22:47 ns slapd[12250]: conn=3615 op=0 BIND dn="cn=admin,dc=workgroup" method=128
Dec 18 15:22:47 ns slapd[12250]: conn=3615 op=0 BIND dn="cn=admin,dc=workgroup" mech=SIMPLE ssf=0
Dec 18 15:22:47 ns slapd[12250]: conn=3615 op=0 RESULT tag=97 err=0 text=
Dec 18 15:22:47 ns slapd[12250]: conn=3615 op=1 SRCH base="dc=workgroup" scope=2 deref=2 filter="(&(objectClass=posixAccount)(uid=tommy))"
Dec 18 15:22:47 ns slapd[12250]: conn=3615 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Dec 18 15:22:47 ns slapd[12250]: conn=3615 op=2 SRCH base="dc=workgroup" scope=2 deref=2 filter="(&(objectClass=sambaSamAccount)(uid=tommy))"
Dec 18 15:22:47 ns slapd[12250]: conn=3615 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
Dec 18 15:22:49 ns slapd[12250]: conn=3615 op=3 MOD dn="uid=tommy,ou=Users,dc=workgroup"
Dec 18 15:22:49 ns slapd[12250]: conn=3615 op=3 MOD attr=sambaLMPassword sambaAcctFlags sambaNTPassword sambaPwdLastSet sambaPwdMustChange
Dec 18 15:22:49 ns slapd[12250]: conn=3615 op=3 RESULT tag=103 err=0 text=
Dec 18 15:22:49 ns slapd[12250]: conn=3615 op=4 MOD dn="uid=tommy,ou=Users,dc=workgroup"
Dec 18 15:22:49 ns slapd[12250]: conn=3615 op=4 MOD attr=userPassword shadowLastChange shadowMax
Dec 18 15:22:49 ns slapd[12250]: conn=3615 op=4 RESULT tag=103 err=0 text=
Dec 18 15:22:49 ns slapd[12250]: conn=3615 op=5 UNBIND
Dec 18 15:22:49 ns slapd[12250]: conn=3615 fd=74 closed

But when i try to log in as tommy my password is expired. So i need somehow to write in

Code:

userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword

by

Code:

dn="uid=tommy,ou=Users,dc=workgroup"

Aghast · 12-23-2009, 09:58 PM

Changed a little slapd.conf

Code:

access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdMustChange,sambaPwdLastSet
	by dn="cn=admin,dc=workgroup" write
	by self write
	by anonymous auth
	by * none

access to attrs=shadowLastChange,shadowMax
	by dn="cn=admin,dc=workgroup" write
	by self write
	by * read

It is now works as it should be.

klabacita · 12-28-2009, 01:43 AM

Hey Aghast.

I seen that u are not running RedHat/Centos but have the same behavior, I have seen that my issue is went I add a email account to our server, If I add a user or machine account I don't have issues.

My issue is went I add a email account, by looks like the issue is not samba or smbldap-tools, I'm using mandriva mds.

I already ask to the forum, just waiting the answer.

Thanks.

Centos 5.4/openldap 2.3.x/samba 3.0.33.

Aghast · 12-29-2009, 01:04 AM

klabacita, i don't know if it would help, but you may try to set a policy for maximum password age with pdbedit.

Code:

pdbedit -P "maximum password age" -C 1024

klabacita · 12-30-2009, 04:37 PM

Appreciated your tip Aghast.

The only small thing is that I have to this each time I add a email account, is a extra step I have to make.

Before this was working normally, but something chanhge with mandriva mds or something else.

But thanks for your help and tips my friend.

klabacita · 02-24-2010, 11:16 PM

Hi Aghast, is me again.

Finally the people from mds answer my email, this option is enable by default on MDS, it wasn't a samba ldap thing, I knew that was mds settings, they told me to add this setting inside base.ini from mds and restart the service:

[userdefault]
shadowExpire = DELETE

Fix works.

Thanks!!!