[Samba] Password Expiration
David Brodbeck
DavidB at mail.interclean.com
Wed Mar 20 07:53:05 GMT 2002
If you resort to writing your own method of letting people know their
passwords are about to expire, you might look into doing it with a WinPopUp
notification. I'm not sure if a WinPopUp client runs by default on 95/98,
though if it doesn't you could probably launch one from the login script.
We thankfully don't have many of those machines here, we're mostly an NT 4.0
shop.
Even NT isn't perfect when it comes to password expiration. If you manually
expire someone's password while they're logged in, they aren't notified of
what happened until their next login, but Exchange and other services that
do network authentication cut them off immediately!
-----Original Message-----
From: Jim Morris [mailto:jim at morris-world.com]
Sent: Wednesday, March 20, 2002 10:35 AM
To: samba at lists.samba.org
Subject: [Samba] Password Expiration
Hi All.
I want to confirm something I have been researching. I have a site that
I installed a Linux/Samba server for several years ago. After years of
successful use, this location is having a number of new security
policies rammed down their throat by their corporate headquarters. One
of the new policies is that ALL passwords must expire after 60 days.
My research in the mailing list archives and on the Internet seems to
indicate that Samba 2.2.x can be configured to obey the PAM
authentication rules - which would imply following any password
expiration rules established for the system via the PAM configuration.
However, based on the Samba 2.2.3a smb.conf man page, it seems that this
requires you to disable the use of encrypted passwords. Unfortunately,
this would mean going around to ALL PC's on large network (100+ users)
and performing the plain-text password registry hack.
The other information I have found in my research is that Windows 95/98
clients apparently do not handle password expiration well. I.e. they
keep logging into the domain until the password expires, and then just
cannot login anymore.
Can anyone confirm or refute these facts for me? Has anyone
successfully setup password expiration on a Samba server that serves a
mix of Windows NT, Windows 2000 and Windows 98 clients (90% Windows 98
in this case).
I have thought of all sorts of ways to let PC users know to change their
passwords - via some type of program that runs from the login scripts,
via a web page on the Samba server, etc. In reality I think they are
better off NOT expiring the passwords, as that will tend to force users
to choose poor passwords in the long run. It's not my call though - I
am just basically an unpaid technical consultant in this case...
Thanks!
--
/-------------------------------------\
| Jim Morris | jim at morris-world.com |
\-------------------------------------/
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
More information about the samba
mailing list