I have a samba server which is using LDAP as its backend. The PDC is working as expected as long as I create the users manually. This means that if I use the following command to create a new user, I can log in on a Windows machine using the user bob and I am not asked to change the password:
sudo smbldap-useradd -a -P bob Since, I do not have access to cleartext passwords of the users, I use an ldif file to modify the sambaNTPassword attribute of the user. This is the only way I could come up with because I am only provided with the NTLM hash of the password. Nevertheless, the password is then successfully updated and I can log on the Windows machine.
Here is the problem: users and their hash digests are provided to me in mass. They are first written into a postgresql database. Then I have to run a script that reads list of users (new users) from the database along with its NTLM digest. Since this process should be automated, I have to develop a bash script for this purpose. Here is part of my script that runs the above command:
#!/bin/bash /usr/bin/expect <<EOD spawn smbldap-useradd -a -P $username expect "New password:" { send -- "$tot\n" } expect "Retype new password:" { send -- "$toto\n" } EOD The user is successfully created and I can log on the Windows machine with it. The problem is that I receive the following message:
your password expires today. do you want to change it?
Does anybody where the difference comes from? To me both methods seem identical.
My server: Ubuntu 12.04 LTS Samba: 3.6.3
The following is the LDAP entry of user bob when I create it manually (enter passwords manually) and then update its sambaNTPasssword attribute:
$ ldapsearch -x uid=bob # extended LDIF # # LDAPv3 # base <dc=mydomain,dc=com> (default) with scope subtree # filter: uid=bob # requesting: ALL # # bob, Users, mydomain.com dn: uid=bob,ou=Users,dc=mydomain,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson objectClass: sambaSamAccount cn: bob sn: bob uid: bob uidNumber: 1166 gidNumber: 513 homeDirectory: /home/bob loginShell: /bin/bash gecos: System User givenName: bob sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 displayName: bob sambaSID: S-1-5-21-343724861-3572058179-3643679278-3332 sambaLMPassword: B267DF22CB945E3EAAD3B435B51404EE sambaAcctFlags: [U] sambaPwdLastSet: 1402503403 sambaPwdMustChange: 1488903403 shadowLastChange: 16232 shadowMax: 1000 sambaNTPassword: FCFC9A2A1E3F4F9F5E1EBA9A4592507E And the following is the LDAP entry of user bob when I create it using the script (I update the sambaNTPassword in this case):
# bob, Users, mydomain.com dn: uid=bob,ou=Users,dc=mydomain,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson objectClass: sambaSamAccount cn: bob sn: bob uid: bob uidNumber: 1168 gidNumber: 513 homeDirectory: /home/bob loginShell: /bin/bash gecos: System User givenName: bob sambaPwdLastSet: 0 sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaPwdMustChange: 2147483647 displayName: bob sambaAcctFlags: [UX] sambaSID: S-1-5-21-343724861-3572058179-3643679278-3336 sambaNTPassword: FCFC9A2A1E3F4F9F5E1EBA9A4592507E 
