Gestione Scadenze Password: Difference between revisions

From RVM Wiki
Jump to navigation Jump to search
← Older edit
VisualWikitext
mNo edit summary
 
Line 1: Line 1:
=Samba 4=
Questi settaggi NON sono gestibili con policy AD: occorre settarli con samba-tool:
samba-tool domain passwordsettings show
<pre class=rvmscreen>
Password informations for domain 'DC=example,DC=priv'
Password complexity: on
Store plaintext passwords: off
Password history length: 3
Minimum password length: 12
Minimum password age (days): 1
Maximum password age (days): 30
Account lockout duration (mins): 15
Account lockout threshold (attempts): 5
Reset account lockout after (mins): 15
</pre>
Esempio:
samba-tool domain passwordsettings --help
<pre class=rvmscreen>
Usage: samba-tool domain passwordsettings (show|set <options>) [options]
Set password settings.
Password complexity, password lockout policy, history length,
minimum password length, the minimum and maximum password age) on
a Samba AD DC server.
Use against a Windows DC is possible, but group policy will override it.
Options:
  --complexity=COMPLEXITY
                        The password complexity (on | off | default). Default
                        is 'on'
  --store-plaintext=STORE_PLAINTEXT
                        Store plaintext passwords where account have 'store
                        passwords with reversible encryption' set (on | off |
                        default). Default is 'off'
  --history-length=HISTORY_LENGTH
                        The password history length (<integer> | default).
                        Default is 24.
  --min-pwd-length=MIN_PWD_LENGTH
                        The minimum password length (<integer> | default).
                        Default is 7.
  --min-pwd-age=MIN_PWD_AGE
                        The minimum password age (<integer in days> |
                        default).  Default is 1.
  --max-pwd-age=MAX_PWD_AGE
                        The maximum password age (<integer in days> |
                        default).  Default is 43.
  --account-lockout-duration=ACCOUNT_LOCKOUT_DURATION
                        The the length of time an account is locked out after
                        exeeding the limit on bad password attempts (<integer
                        in mins> | default).  Default is 30 mins.
  --account-lockout-threshold=ACCOUNT_LOCKOUT_THRESHOLD
                        The number of bad password attempts allowed before
                        locking out the account (<integer> | default).
                        Default is 0 (never lock out).
  --reset-account-lockout-after=RESET_ACCOUNT_LOCKOUT_AFTER
                        After this time is elapsed, the recorded number of
                        attempts restarts from zero (<integer> | default).
                        Default is 30.
</pre>
=Samba 3=
E' possibile gestire le "Domain Policy" per la scadenza automatica della password, la lunghea minima, etc con '''User Manager for Domains''' da una workstation Windows.
E' possibile gestire le "Domain Policy" per la scadenza automatica della password, la lunghea minima, etc con '''User Manager for Domains''' da una workstation Windows.


Latest revision as of 14:37, 20 June 2022

Samba 4

Questi settaggi NON sono gestibili con policy AD: occorre settarli con samba-tool: 

samba-tool domain passwordsettings show

Password informations for domain 'DC=example,DC=priv'

Password complexity: on
Store plaintext passwords: off
Password history length: 3
Minimum password length: 12
Minimum password age (days): 1
Maximum password age (days): 30
Account lockout duration (mins): 15
Account lockout threshold (attempts): 5
Reset account lockout after (mins): 15

Esempio: 

samba-tool domain passwordsettings --help

Usage: samba-tool domain passwordsettings (show|set <options>) [options]

Set password settings.

Password complexity, password lockout policy, history length,
minimum password length, the minimum and maximum password age) on
a Samba AD DC server.

Use against a Windows DC is possible, but group policy will override it.


Options:
  --complexity=COMPLEXITY
                        The password complexity (on | off | default). Default
                        is 'on'
  --store-plaintext=STORE_PLAINTEXT
                        Store plaintext passwords where account have 'store
                        passwords with reversible encryption' set (on | off |
                        default). Default is 'off'
  --history-length=HISTORY_LENGTH
                        The password history length (<integer> | default).
                        Default is 24.
  --min-pwd-length=MIN_PWD_LENGTH
                        The minimum password length (<integer> | default).
                        Default is 7.
  --min-pwd-age=MIN_PWD_AGE
                        The minimum password age (<integer in days> |
                        default).  Default is 1.
  --max-pwd-age=MAX_PWD_AGE
                        The maximum password age (<integer in days> |
                        default).  Default is 43.
  --account-lockout-duration=ACCOUNT_LOCKOUT_DURATION
                        The the length of time an account is locked out after
                        exeeding the limit on bad password attempts (<integer
                        in mins> | default).  Default is 30 mins.
  --account-lockout-threshold=ACCOUNT_LOCKOUT_THRESHOLD
                        The number of bad password attempts allowed before
                        locking out the account (<integer> | default).
                        Default is 0 (never lock out).
  --reset-account-lockout-after=RESET_ACCOUNT_LOCKOUT_AFTER
                        After this time is elapsed, the recorded number of
                        attempts restarts from zero (<integer> | default).
                        Default is 30.

Samba 3

E' possibile gestire le "Domain Policy" per la scadenza automatica della password, la lunghea minima, etc con User Manager for Domains da una workstation Windows.

Alternativamente si può usare pdbedit da Linux.

Visualizzare i nomi delle Policy

pdbedit -P ?

Vengono elencati i nomi delle policy: 

No account policy by that name
Account policy names are :
min password length
password history
user must logon to change password
maximum password age
minimum password age
lockout duration
reset count minutes
bad lockout attempt
disconnect time
refuse machine password change


Interrogare un valore

La sintassi è: 

pdbedit -P "nome_policy"

Ad esempio per vedere l'intervallo di scadenza password (in secondi): 

pdbedit -P "maximum password age"
account policy value for maximum password age is 4294967295

Che risulta essere di giorni 

echo "$(pdbedit -P "maximum password age" | cut --delim=' ' -f 9)/60/60/24" | bc
49710

In questo caso è il valore massimo (Never Expires)

Settaggio di un valore per la Policy

Per settare un valore di una policy la sintassi è: 

pdbedit -P "nome_policy" -C #valore
  • Esempio: Impostare la lungheza minima della password ad 8 caratteri:
pdbedit -P "min password length" -C 8

Attennzione che i valori temporali devono essere espressi in secondi.

Vedi pdbedit tool per i dettagli

Per vedere come impostare la data di scadenza della password di un utente: Gestione_account_Samba_da_command_line

Visualizzazione dei valori per singolo utente

Per vedere la data di scadenza password di un utente: 

pdbedit -Lv user.name | grep Password
Password last set:    Fri, 12 Aug 2005 10:25:40 GMT
Password can change:  Fri, 12 Aug 2005 10:25:40 GMT
Password must change: Fri, 13 Dec 1901 21:45:51 GMT

La password non scade mai

Se nonostante si sia impostata una policy temporale per far scadere la password, non viene mai richiesto agli utenti di cambiarla, probabilmente c'è un valore non valido nel campo "Password must change", dovuto, ad esempio, al fatto che l'account è stato importato da NT: 

Password must change: Fri, 13 Dec 1901 21:45:51 GMT

E' sufficiente far cambiare la password all'utente, e questo valore verrà settato correttamente.

pdbedit tool

Retrieved from "https://kb.rvmgroup.it/index.php?title=Gestione_Scadenze_Password&oldid=10719"