Web lists-archives.com

Re: [Samba] Attempts to Set Max Password Age in Samba Tool Fails







 From:   Rowland Penny via samba <samba@xxxxxxxxxxxxxxx> 
 To:   "samba@xxxxxxxxxxxxxxx" <samba@xxxxxxxxxxxxxxx> 
 Sent:   3/29/2019 5:35 PM 
 Subject:   Re: [Samba] Attempts to Set Max Password Age in Samba Tool Fails 

On Fri, 29 Mar 2019 16:46:13 -0500 
Matthew Delfino <mdelfino.list.samba@xxxxxxxxxxxx> wrote: 
 
> Hey Rowland, thank you for getting back to me so quickly. Answers in 
> line below... 
>  
> From:   Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>  
>  
>  To:   <samba@xxxxxxxxxxxxxxx>  
>  Sent:   3/29/2019 4:33 PM  
>  Subject:   Re: [Samba] Attempts to Set Max Password Age in Samba 
> Tool Fails  
>  
> On Fri, 29 Mar 2019 15:45:57 -0500  
> Matthew Delfino via samba <samba@xxxxxxxxxxxxxxx> wrote:  
>   
> > Hello!  
> >   
> >   
> > I am on Samba 4.10.0, Ubuntu 16.04.2 LTS. I recently reset a 
> > password and found that my password expiration had somehow gotten 
> > set to 400 days.    
>   
> Where did you get the Samba 4.10.0 packages from ? 
>  
> I compiled the source code on samba.org, used 'make install' to put 
> them in place. 
 
Hmm, I suppose you 'configured' Samba to put Samba into the normal 
places Ubuntu usually finds it e.g. /var/lib/samba


Right you are.


What was your configure line ?


Assuming too much info is better than not enough, and hoping the context might help, here's my *upgrade* process:


# cd /usr/local/src

# wget https://download.samba.org/pub/samba/stable/samba-4.10.0.tar.gz (or whatever new version is posted)
# tar -zxf samba-4.10.0.tar.gz
# rm samba-4.10.0.tar.gz
# ./configure --enable-fhs --prefix=/usr --sysconfdir=/etc --localstatedir=/var --mandir=/usr/share/man/ --enable-debug
# make
# sudo service samba-ad-dc stop
# sudo make install
# sudo shutdown -r now


This process has never failed me... Perhaps... until now?


Is any of the standard Ubuntu Samba packages installed ?


No. Each of my DCs was built from the ground up for Samba to be installed via source code (and it was always installed with the aforementioned "configure" line). My domain's Samba AD DCs were on Samba 4.8.9 until last week, when I installed Samba 4.10.0 over them, using the commands above. The oldest version installed was some point release of 4.7.


When upgrading to 4.10.0, verbiage about moving to Python 3 in the READ ME lead me to take the extra step of installing the packages outlined on the samba wiki page entitled, "Package_Dependencies_Required_to_Build_Samba," section, "Debian / Ubuntu." Apropos to the comment you left below, note that this page does not recommend the "python3-crypto" package.


That's not me telling you that you're wrong because wiki page - I'm not that kind of dude. I'm just calling out that, if you're right, someone with Samba wiki editing powers would be a really cool if s/he'd add it to the list. ;-)


> >   
> > I went to one of my DCs and ran the following command:  
> >   
> >   
> >   
> > # samba-tool domain passwordsettings show  
> > Password informations for domain 'DC=samdom,DC=mydomain,DC=com'  
> >   
> >   
> > Password complexity: on  
> > Store plaintext passwords: off  
> > Password history length: 5  
> > Minimum password length: 14  
> > Minimum password age (days): 0  
> > Maximum password age (days): 400  
> > Account lockout duration (mins): 60  
> > Account lockout threshold (attempts): 30  
> > Reset account lockout after (mins): 60  
> >   
> >   
> > That needed to change so, I tried to enforce my company's policy:  
> >   
> >   
> >   
> > # samba-tool domain passwordsettings set --max-pwd-age=270  
> > ERROR(<class 'TypeError'>): uncaught exception - unorderable types:  
> > NoneType() >= int() File  
> > "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 
> > 184, in _run return self.run(*args, **kwargs) File  
> > "/usr/lib/python3/dist-packages/samba/netcmd/domain.py", line 1513,  
> > in run if max_pwd_age and max_pwd_age > 0 and min_pwd_age >=  
> > max_pwd_age:    
>   
> What Python 3 packages are installed ?  
>  
>  
>  
> # dpkg --list | grep python3 | awk '{ print $1 "\t" $2 "\t" $3 }' 
> ii libpython3-dev:amd64 3.5.1-3 
> ii libpython3-stdlib:amd64 3.5.1-3 
> ii libpython3.5:amd64 3.5.2-2ubuntu0~16.04.5 
> ii libpython3.5-dev:amd64 3.5.2-2ubuntu0~16.04.5 
> ii libpython3.5-minimal:amd64 3.5.2-2ubuntu0~16.04.5 
> ii libpython3.5-stdlib:amd64 3.5.2-2ubuntu0~16.04.5 
> ii python3 3.5.1-3 
> ii python3-apport 2.20.1-0ubuntu2.18 
> ii python3-apt 1.1.0~beta1ubuntu0.16.04.2 
> ii python3-chardet 2.3.0-2 
> ii python3-commandnotfound 0.3ubuntu16.04.2 
> ii python3-dbus 1.2.0-3 
> ii python3-debian 0.1.27ubuntu2 
> ii python3-dev 3.5.1-3 
> ii python3-distupgrade 1:16.04.26 
> ii python3-dnspython 1.12.0-0ubuntu3 
> ii python3-gdbm:amd64 3.5.1-1 
> ii python3-gi 3.20.0-0ubuntu1 
> ii python3-gpgme 0.3-1.1 
> ii python3-markdown 2.6.6-1 
> ii python3-minimal 3.5.1-3 
> ii python3-newt 0.52.18-1ubuntu2 
> ii python3-pip 8.1.1-2ubuntu0.4 
> ii python3-pkg-resources 20.7.0-1 
> ii python3-problem-report 2.20.1-0ubuntu2.18 
> ii python3-pycurl 7.43.0-1ubuntu1 
> ii python3-pygments 2.1+dfsg-1 
> ii python3-requests 2.9.1-3ubuntu0.1 
> ii python3-setuptools 20.7.0-1 
> ii python3-six 1.10.0-3 
> ii python3-software-properties 0.96.20.8 
> ii python3-systemd 231-2build1 
> ii python3-update-manager 1:16.04.15 
> ii python3-urllib3 1.13.1-2ubuntu0.16.04.2 
> ii python3-wheel 0.29.0-1 
> ii python3-yaml 3.11-3build1 
> ii python3.5 3.5.2-2ubuntu0~16.04.5 
> ii python3.5-dev 3.5.2-2ubuntu0~16.04.5 
> ii python3.5-minimal 3.5.2-2ubuntu0~16.04.5 
 
I haven't built 4.10 (yet), but at least one thing jumps out, to build 
with python2, you need python2-crypto, so I suppose that you will need 
python3-crypto when building with python3


Okay. I just got that "python3-crypto" package on my DCs. I'm going to start the long process of recompiling and reinstalling now to see if that helps. I'm going to send this email before doing so in case you're inclined to reply on the weekend with any insights from this message.


I hope you're having a nice weekend.


Matthew



© 2019 KNOCK, inc. All rights reserved. KNOCK is a registered trademark of KNOCK, inc. This message and any attachments contain information, which is confidential and/or privileged. If you are not the intended recipient, please refrain from any disclosure, copying, distribution or use of this information. Please be aware that such actions are prohibited. If you have received this transmission in error, kindly notify the sender by e-mail. Your cooperation is appreciated.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba