[NTLUG:Discuss] Re: Samba password aging (or not?)

[Kenneth Loafman]

Kenneth Loafman wrote:

> OK, its happened to a second user, ME.  The Samba password aged today 
> and had to use smbpasswd to reset it.  I got to the shell through my 
> normal SSH command, without warning, so its a problem with Samba, not 
> the Linux servr, or the windows client.
> 
> In other words, 3 accounts, Linux, Windows and Samba.  The Linux and 
> Windows accounts do not age.  The Samba account does and should not.
> 
> Its got to be something undocumented the that new experimental .tdb 
> database they are flogging now.  Just wish I could go back to the old 
> flat text file that could actually be read and diagnosed.  Other than 
> string dumps, there's no way to access the new database to audit which 
> users are actually there.  Seems to be a security hazard as well.
> 
> Cameron, Thomas wrote:
> 
>> Are you sure it's not an issue on the Windows box itself?  I've never 
>> heard of Linux aging magically turning on for one user, but I have 
>> definitely heard of a user screwing around with their account settings 
>> on their desktop PC.  Check the settings for the user account on the 
>> 'Doze machine.

I finally got on the Samba mailing list (warning, high traffic) and got 
an answer.  Debian has gone back to smbpasswd form of password file. 
For a while they used passdb.tdb.  This binary file does have password 
aging and other policies not supported by smbpasswd and the default was 
21 days for any new or modified entry.  That's when the problems began.

It is possible to see the TDB file with a utility called 'pdbedit'. 
Using 'pdbedit -e ...', it is possible to export an smbpasswd file, then 
modify 'passdb backend' in smb.conf to use the smbpasswd file.  You can 
also make your password backend use LDAP or other database formats. 
Very flexible.

So, the fix was simple, just not immediately obvious.  Man pages for 
pdbedit, smbpasswd and smb.conf came in handy.

...Ken