How-to: Samba - disable user expiry - Password does never expire

Knowledge Base Community
, , ,
#1

How to:

If you want to disable the expiry from User Accounts, you change the settings directly with the samba-tools.
This is sometimes necessary if the guidelines for passwords under Samba do not work properly and the user password keeps expiring.
The required function at the Samba level is not set in the pso fine graned passwordpolicys,
but is located in the userAccountControl attribute.

samba-tool user setexpiry --help
Options:
  -h, --help            show this help message and exit
  -H URL, --URL=URL     LDB URL for database or target server
  --filter=FILTER       LDAP Filter to set password on
  --days=DAYS           Days to expiry
  --noexpiry            Password does never expire
  --color=always|never|auto
                        use colour if available (default: auto)

In Microsoft and Samba, the values for the attributes are set in decimal numbers via the list of property flags.
Further information on the flags can be found under the following link:

Step 1: Get the attribute for the User

univention-s4search cn=max.muster | grep -i account

The value for NORMAL_ACCOUNT is 512

userAccountControl: 512
accountExpires: 9223372036854775807
sAMAccountName: max.muster
sAMAccountType: 805306368

Step 2: Setexpiry for the User

samba-tool user setexpiry --noexpiry max.muster

Output:

Expiry for user 'max.muster' disabled.

After the operation has been performed the value of accountExpires is set to 0 and the value of userAccountControl is set to 66048.
This new value is made up of the previous value of NORMAL_ACCOUNT 512 and DONT_EXPIRE_PASSWORD 65536.

univention-s4search cn=max.muster | grep -i account

sAMAccountName: max.muster
sAMAccountType: 805306368
userAccountControl: 66048
accountExpires: 0
#2
Mastodon