User expired in w10 with AD

activedirectory
v7

(Riccardo Prandini) #1

Mmmm i have a issue.
I’m not a sysadmin an ldap man a power user so I have no knowledge.

I’m on holiday (This is strange but not an issue)
My config is AD with samba share and 20 users under win 10. From 1 april 2018 it is working, I have added group users and passwords and shares.
Password expiration is 90 days.

In June/July windows popped up user with “Hey your password is expired please change”… no problem

The 29/10/2018 a user called me saing “My win 10 say: user is expired” so I remote connection and edited user passord changing it and it is enabled.

Today 31/10/2018 a lot of user callled me saing “My win 10 say: user is expired” so to avoid trouble i resetted al PSW and now i can stay happy on holiday.

Why this?!?!

Password expiration in neth is related to what is it stored in LDAP?
I have no idea what is the relation with admin console configuration of users and groups.

Under standalone linux sysem i remember chage is it related.

Are all access related to SSH rely on AD/LDAP?
chgpsw rely on AD/LDAP?


(Rob Bosch) #2

Hi @Riccardo_Prandini
What you describe is default behaviour of Samba4 AD account provider in NethServer 7. You can find more on this in the Admin manual: http://docs.nethserver.org/en/v7/accounts.html#expiration
You can handle this in a few ways:

  • make sure the users change their password before the password expires. They can do that themselves by logging in on the NethServer admin webinterface. When a normal user loggs in on the NethServer admin webinterface, they are provided with some options of their account including changing their password.
  • As an admin you can remove the expiration of accounts in the admin webinterface. Go to Management / Users and Groups and click edit for the useraccount that needs expiration changed and remove the tick in the checkbox for password expiration:
    user

(Riccardo Prandini) #3

@robb Thanks for fast reply, I’m not so fast sorry.

MMM ok…

But in a real situation, I have to deal with:
Users that go on holiday or are away or can’t go to work for… 15 20 xx days.

I’m sure that I have see win 10 warning your password is expired. Was I dreaming? Or that was the day it was expiring?

If they change via win 10 is counted as password change and the time restarts?

Is there a way to expose "Remember Your password is going to expire. If you don’t change it a lot of bad things could happen "

Suppose I have this situation

Each PC is under AD.
I have to create a user (Call It “ResetPasswordUser”) with only a browser and, via this user (that has a password that doesn’t expire) a legit user can reset his password?


(Riccardo Prandini) #4

I still have problem some user are locked if password expiration is flaggeg, also after the user change his password itself. My only solution is to remove the flag for password expiration.


(Davide Principi) #5

Please inspect the user properties with

  nsdc-run -- pdbedit --help

And

  net ads search -P samaccountname=USERNAME