From: Отдел ИТ Администрации Черниговского района on
Greetings. I have problem with password expiration problem i cannot
handle myself, so i wrote in this list.
Recently i discovered that a newly created samba account has already
expired password.

smbldap-useradd -a -d /home/tommy -G education -s /bin/bash -M tommy -c
"Tommy T." tommy
smbldap-passwd tommy

getent shadow
user:*:::::::0
user2:*:::::::0
user3:*:::365::::0
tommy:*:::365::::0

su tommy
pam_mount password:
Password aged
Enter login(LDAP) password:

auth.log
/dev/pts/5 user:tommy
Nov 26 16:47:34 it-chief su[5638]: pam_unix(su:auth): authentication
failure; logname= uid=1001 euid=0 tty=/dev/pts/5 ruser=user rhost=
user=tommy
Nov 26 16:47:34 it-chief su[5638]: pam_unix(su:account): expired
password for user tommy (password aged)
Nov 26 16:47:34 it-chief su[5638]: pam_unix(su:chauthtok): user "tommy"
does not exist in /etc/passwd
Nov 26 16:48:12 it-chief su[5638]: pam_chauthtok: Authentication token
manipulation error
Nov 26 16:48:12 it-chief su[5638]: FAILED su for tommy by user

smb.conf
[global]
workgroup = WORKGROUP
server string = %h server
; wins server = w.x.y.z
dns proxy = no
; name resolve order = lmhosts host wins bcast
; interfaces = 127.0.0.0/8 eth0
; bind interfaces only = yes
log file = /var/log/samba/log.%m
max log size = 1000
syslog only = yes
syslog = 0
panic action = /usr/share/samba/panic-action %d
log level = 3 vfs:2
security = user
encrypt passwords = true
obey pam restrictions = no
; unix password sync = no
ldap passwd sync = yes
passwd program = /usr/sbin/smbldap-passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*all*authentication*tokens*updated
pam password change = no
passdb backend = ldapsam:ldap://auth.workgroup
ldap ssl = no
ldap admin dn = cn=admin,dc=workgroup
ldap suffix = dc=workgroup
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Users
unix extensions = no
; domain logons = yes
; logon path = \\%N\profiles\%U
; logon drive = H:
; logon script = logon.cmd
add user script = /usr/sbin/smbldap-useradd -m "%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
ldap delete dn = yes
delete user script = /usr/sbin/smbldap-userdel "%u"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"

smbldap.conf
SID="S-1-5-21-482339686-3080510186-2817641028"
sambaDomain="WORKGROUP"
slaveLDAP="auth.workgroup"
slavePort="389"
masterLDAP="auth.workgroup"
masterPort="389"
ldapTLS="0"
verify="none"
suffix="dc=workgroup"
usersdn="ou=Users,${suffix}"
computersdn="ou=Computers,${suffix}"
groupsdn="ou=Groups,${suffix}"
idmapdn="ou=Users,${suffix}"
sambaUnixIdPooldn="sambaDomainName=WORKGROUP,${suffix}"
scope="sub"
hash_encrypt="SSHA"
crypt_salt_format="%s"
userLoginShell="/bin/bash"
userHome="/home/%U"
userHomeDirectoryMode="700"
userGecos="System User"
defaultUserGid="513"
defaultComputerGid="515"
skeletonDir="/etc/skel"
defaultMaxPasswordAge="365"
userSmbHome="\\NAS\%U"
userProfile="\\NAS\profiles\%U"
userHomeDrive="H:"
userScript="%U.cmd"
mailDomain="workgroup"
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"


slapd.conf
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/samba.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel 256
modulepath /usr/lib/ldap
moduleload back_bdb
sizelimit 500
tool-threads 1
backend bdb
database bdb
suffix "dc=workgroup"
directory "/var/lib/ldap"
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
index objectClass eq
index cn pres,sub,eq
index sn pres,sub,eq
index uid pres,sub,eq
index displayName pres,sub,eq
index default sub
index uidNumber eq
index gidNumber eq
index mail,givenName eq,subinitial
index dc eq
index memberUid eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index sambaGroupType eq
index sambaSIDList eq
index uniqueMember eq
lastmod on
checkpoint 512 30
access to
attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword
by dn="cn=admin,dc=workgroup" write
by anonymous auth
by self write
by * none

access to dn.base="" by * read

access to *
by dn="cn=admin,dc=workgroup" write
by * read

smbldap-usershow tommy
dn: uid=tommy,ou=Users,dc=workgroup
objectClass:
top,person,organizationalPerson,inetOrgPerson,posixAccount,shadowAccount,sambaSamAccount,inetLocalMailRecipient
cn: tommy
sn: tommy
givenName: tommy
uid: tommy
uidNumber: 1099
gidNumber: 513
homeDirectory: /home/tommy
loginShell: /bin/bash
gecos: T. Tommy
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
displayName: tommy
sambaSID: S-1-5-21-482339686-3080510186-2817641028-3198
sambaLogonScript: tommy.cmd
sambaProfilePath: \\NAS\profiles\tommy
sambaHomePath: \\NAS\tommy
sambaPrimaryGroupSID: S-1-5-21-482339686-3080510186-2817641028-513
sambaHomeDrive: H:
mailLocalAddress: tommy
mail: tommy(a)workgroup
sambaLMPassword: CCF9155E3E7DB453AAD3B435B51404EE
sambaAcctFlags: [U]
sambaNTPassword: 3DBDE697D71690A769204BEB12283678
sambaPwdLastSet: 1259217976
sambaPwdMustChange: 1290753976
userPassword: {SSHA}baNet7XxM3EaPORUnwRCYNSXTlF0cE5z
shadowLastChange: 14574
shadowMax: 365

smbd --version
Version 3.2.5

debian lenny

slapd -V
@(#) $OpenLDAP: slapd 2.4.11 (Oct 12 2008 04:13:21) $
buildd(a)ninsei:/build/buildd/openldap-2.4.11/debian/build/servers/slapd

Thanks in advance
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba