[Samba] Password Expiration

Andrew Bartlett abartlet at pcug.org.au
Wed Mar 20 12:50:07 GMT 2002 

Jim Morris wrote:
> 
> Hi All.
> 
> I want to confirm something I have been researching.  I have a site that
> I installed a Linux/Samba server for several years ago. After years of
> successful use, this location is having a number of new security
> policies rammed down their throat by their corporate headquarters. One
> of the new policies is that ALL passwords must expire after 60 days.
> 
> My research in the mailing list archives and on the Internet seems to
> indicate that Samba 2.2.x can be configured to obey the PAM
> authentication rules - which would imply following any password
> expiration rules established for the system via the PAM configuration.
> However, based on the Samba 2.2.3a smb.conf man page, it seems that this
> requires you to disable the use of encrypted passwords.  Unfortunately,
> this would mean going around to ALL PC's on  large network (100+ users)
> and performing the plain-text password registry hack.

Incorrect.  When 'obey pam restrictions = yes' Samba will also honer
PAM's account and session controls for encrypted passwords.

> The other information I have found in my research is that Windows 95/98
> clients apparently do not handle password expiration well. I.e. they
> keep logging into the domain until the password expires, and then just
> cannot login anymore.

This is much better in HEAD.

> Can anyone confirm or refute these facts for me?  Has anyone
> successfully setup password expiration on a Samba server that serves a
> mix of Windows NT, Windows 2000 and Windows 98 clients (90% Windows 98
> in this case).
> 
> I have thought of all sorts of ways to let PC users know to change their
> passwords - via some type of program that runs from the login scripts,
> via a web page on the Samba server, etc.  In reality I think they are
> better off NOT expiring the passwords, as that will tend to force users
> to choose poor passwords in the long run.  It's not my call though - I
> am just basically an unpaid technical consultant in this case...

Password expiration is always a difficult area.

Hope this helps,

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

More information about the samba mailing list