Univention Bugzilla – Bug 44226
Maximum password age and change on next login not enforced
Last modified: 2020-10-09 14:47:30 CEST
Maximum password age and change password on next login is not enforced by Samba/AD in UCS 4.1-4 e407, tested with 1) Windows client 2) kinit 3) smbclient. Example: =========================================================================== date -s "Mon, 23 Nov 2015 21:06:52 GMT" /etc/init.d/samba restart udm users/user create --set username=user1 --set lastname=name1 \ --set password=univention samba-tool domain passwordsettings set --max-pwd-age=1 rdate -n 10.200.8.1 /etc/init.d/samba restart kinit user1 smbclient //$(hostname -f)/user1 -Uuser1%univention =========================================================================== As a first step, we should investigate when this regression started.
It still worked with UCS 4.1-3 errata282 (samba 2:4.3.7-1.835.201607051244) ============================================================================= root@master10:~# date Mo 23. Nov 16:44:00 CET 2015 root@master10:~# udm users/user create --set username=user1 \ --set lastname=name1 \ --set password=univention Object created: uid=user1,dc=ar41i1,dc=qa root@master10:~# root@master10:~# samba-tool domain passwordsettings set --max-pwd-age=1 Maximum password age changed! All changes applied successfully! root@master10:~# kinit user1 user1@AR41I1.QA's Password: Your password will expire at Tue Nov 24 16:43:40 2015 root@master10:~# rdate -n 10.200.8.1 Mon Apr 3 13:14:07 CEST 2017 root@master10:~# kinit user1 user1@AR41I1.QA's Password: kinit: krb5_get_init_creds: No ENC-TS found root@master10:~# smbclient //$(hostname -f)/user1 -Uuser1%univention session setup failed: NT_STATUS_PASSWORD_EXPIRED ============================================================================= With 4.1-4 errata353 (samba 2:4.5.1-1.848.201611070734) it doesn't.
The Enterprise Customer affected flag is set but neither a Ticket number is referenced nor a Customer ID is set. Please set a Ticket number or a Customer ID. Otherwise the Enterprise Customer affected flag will be reset.
Looks like --max-pwd-age=1 is special. with --max-pwd-age=2 it seems to work: root@master10:~# samba-tool domain passwordsettings set --max-pwd-age=2 Maximum password age changed! All changes applied successfully! root@master10:~# kinit user1 user1@AR41I1.QA's Password: kinit: krb5_get_init_creds: Password has expired root@master10:~# smbclient //$(hostname -f)/user1 -Uuser1%univention -c quit Kinit for user1@AR41I1.QA to access master10.ar41i1.qa failed: Password has expired session setup failed: NT_STATUS_PASSWORD_EXPIRED root@master10:~# samba-tool domain passwordsettings set --max-pwd-age=1 Maximum password age changed! All changes applied successfully! root@master10:~# kinit user1 user1@AR41I1.QA's Password: root@master10:~# smbclient //$(hostname -f)/user1 -Uuser1%univention -c quit root@master10:~#