search

gklyne / admiral-jiscmrd

Automatically exported from code.google.com/p/admiral-jiscmrd
MIT License
0 stars 0 forks source link

SSH account passwords expire #67

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago 
The password expires after certain number of days . (has been experienced by 
Seb in Devel Group)

Original issue reported on code.google.com by bhavana....@gmail.com on 14 Jun 2011 at 10:53

GoogleCodeExporter commented 8 years ago 
It seems to come down to user entries in 
LDAP being created with a shadowMax value of 45 (days), when that value should 
be something like 99999 (a few centuries). 
It is probably a fairly standard 
LDAP update command to replace values for existing users

#graham

Original comment by bhavana....@gmail.com on 14 Jun 2011 at 10:54

GoogleCodeExporter commented 8 years ago 
Explanation on /etc/shadow for each field: 
http://tldp.org/LDP/lame/LAME/linux-admin-made-easy/shadow-file-formats.html

Using 'chage' command (note: not change) , one could change the expiry date on 
the password: 
http://www.unix.com/shell-programming-scripting/82501-force-change-password-modi
fying-etc-shadow.html

#Bhavana

Original comment by bhavana....@gmail.com on 14 Jun 2011 at 10:56

GoogleCodeExporter commented 8 years ago 
use smbldap-usermodd instead as it overrides the shadow

Original comment by bhavana....@gmail.com on 14 Jun 2011 at 12:28

GoogleCodeExporter commented 8 years ago 
Work needed; Modify the script that adds users and test it before rolling over 
to all the groups. Presently have manually changed the settings on all existing 
users of the groups.

Original comment by bhavana....@gmail.com on 14 Jun 2011 at 12:31

GoogleCodeExporter commented 8 years ago 
Example command to extend password expire age: smbldap-usermod --shadowMax 
99999 <username>

Original comment by gk-goo...@ninebynine.org on 28 Oct 2011 at 3:42

GoogleCodeExporter commented 8 years ago 
Command to list users: smbldap-userlist

Original comment by graham.k...@oerc.ox.ac.uk on 5 Feb 2013 at 1:01

GoogleCodeExporter commented 8 years ago 
Edited /root/admiralusermanagement.sh to add smbldap-udsermod command to 
function generatesystemuser(), as shown below.  With this change, nerw users 
are created with shadowmax set to 99999 days.

function generatesystemuser()
{
    # $1 = users script name
    # $2 = new user password
    source $1
    password=$2
    echo $username \"$userfullname\" $userrole \"$userroom\" \"$userphone\" $password

    # Create new user account
    if [[ "$password" == "" ]]; then
        smbldap-useradd -a -P -m -g $userrole $username
    else
        smbldap-useradd -a -P -m -g $userrole $username <<END
$password
$password
END
    fi
    smbldap-userinfo -f "$userfullname" -r "$userroom" -w "$userphone" $username
    smbldap-usermod --shadowMax 99999 $username 

    # For non-collaborators, create user directories and set permissions
    if [[ "$userrole" != "RGCollaborator" ]]; then
        # Create ADMIRAL working directory areas for the new user
        # if they don't already exist
        mkdir -p /home/data/private/$username
        mkdir -p /home/data/shared/$username
        mkdir -p /home/data/collab/$username

        # Set user data area owner and ACLs
        setdataownerandaccess $username $username $userrole

        # Set up Apache access control configuration
        /root/createapacheuserconfig.sh $username
    fi
}

Original comment by graham.k...@oerc.ox.ac.uk on 5 Feb 2013 at 1:10