[Samba] password aging
Andrew Bartlett
abartlet at samba.org
Wed Mar 5 21:59:16 GMT 2003
On Wed, 2003-03-05 at 06:12, joe.morin at dominiondiagnostics.com wrote:
>
>
>
>
>
> Still no luck.
> I set 'obey pam restrictions = yes' and 'pam password change yes', I
> already had the 'unix password sync = yes'.
> I can see entries in the log like this :
>
> Mar 4 13:13:42 servername samba(pam_unix)[12225]: session opened for user
> username by (uid=0)
> Mar 4 13:14:37 servername samba(pam_unix)[12225]: session closed for users
> username
>
> So I'm assuming samba is working with pam. I have also successfully
> changed my user password via the client. I have edited /etc/shadow to
> expire my password in 1 day. when I log into the machine via ssh I get the
> messages saying my password is about to expire, but when I log onto the PC
> (which has joined the domain) I don't get the popup message. If my
> password does expire on linux/samba, I get locked out of the domain without
> receiving any message on the PC. (This happened to me when my password
> expired yesterday).
>
> I have samba and pam implemented, do I need to implement something else?
Don't use Win9X as a 'domain' client. Samba 2.2. does not support
sensible error codes to Win9X for this behavior. Samba 3.0 does,
however (due to a complete auth rewrite).
> Should I try implementing OpenLDAP? I don't want to implement an alpha
> version of samba 3.0 since this is a production environment and I can't
> risk having users locked out.
>
> Is there somewhere else I can look to get documentation about this?
>
> Thank you,
>
>
> Joseph Morin
> Dominion Diagnostics
>
>
>
>
> Andrew Bartlett
> <abartlet at samba.o
> rg> To
> joe.morin at dominiondiagnostics.com
> 02/19/2003 06:12 cc
> PM samba at lists.samba.org
> Subject
> Re: [Samba] password aging
>
>
>
>
>
>
>
>
>
>
> On Thu, 2003-02-20 at 07:11, joe.morin at dominiondiagnostics.com wrote:
> >
> >
> >
> >
> > What are my options for implementing password aging using samba as my PDC
> ?
> > I can set the users Linux password to expire, but it doesn't seem to
> > propagate to their samba passwords.
> > I absolutely need this functionality. Is OpenLDAP the answer?
>
> If you set 'obey pam restrictions = yes' and setup the correct PAM
> configuration files, then Samba will also honer this. You should also
> set 'unix password sync = yes' and 'pam password change yes' so that the
> password changes update the PAM backend too.
>
> Or move to Samba 3.0 (currently alpha) and use the pdb_ldap backend to
> store your passwords, which fully supports password expiry, based on our
> own 'pwdMustChange' attribute.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett abartlet at pcug.org.au
> Manager, Authentication Subsystems, Samba Team abartlet at samba.org
> Student Network Administrator, Hawker College abartlet at hawkerc.net
> http://samba.org http://build.samba.org http://hawkerc.net
> (See attached file: signature.asc)
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20030306/d5def973/attachment.bin
More information about the samba
mailing list