[Samba] Cannot change expired password

Jason Baker jbaker at glastender.com
Wed Jan 31 16:47:19 GMT 2007 

Sorry again to answer my own post, but I at least figured out how to 
change the Password Last Set value using the LDAP Account Manager. 
Basically you need to set a date further back than 7 days. Convert it to 
Unix time stamp and enter it into the users LDAP info. Then your user 
will be allowed to change their expired password. But that still doesn't 
explain why the Password Can Change attribute doesn't sync with Password 
last set in pdbedit.

*Jason Baker
*/IT Coordinator/


*Glastender Inc.*
5400 North Michigan Road
Saginaw, Michigan 48604 USA
800.748.0423
Phone: 989.752.4275 ext. 228
Fax: 989.752.4444
www.glastender.com <http://www.glastender.com>



On 1/31/2007 11:20 AM, Jason Baker wrote:
> I should have checked log files before I posted. Anyway, here is some 
> additional info.
> I checked the log file for the machine I was trying to change the 
> password on and here is what it says:
>
>     [2007/01/31 10:28:06, 1] auth/auth_sam.c:sam_account_ok(178)
>       sam_account_ok: Account for user 'test' password expired!.
>     [2007/01/31 10:28:06, 1] auth/auth_sam.c:sam_account_ok(179)
>       sam_account_ok: Password expired at 'Tue, 30 Jan 2007 10:09:38
>     EST' (1170169778) unix time.
>     [2007/01/31 10:28:19, 1] smbd/chgpasswd.c:change_oem_password(1040)
>       user test cannot change password now, must wait until Wed, 07
>     Feb 2007 10:09:38 EST
>
> So the section where is says Password expired at Tue, 30 Jan 2007 is 
> correct. A pdbedit -Lv username shows:
>
>     Logoff time:          Mon, 18 Jan 2038 22:14:07 EST
>     Kickoff time:         Thu, 31 Jan 2030 22:14:07 EST
>     Password last set:    Wed, 31 Jan 2007 10:09:38 EST
>     Password can change:  Mon, 01 Jan 2007 00:00:00 EST
>     Password must change: Tue, 30 Jan 2007 10:09:38 EST
>
> But the log file claims that the password cannot change until Friday 
> Feb 2, 2007, which is seven days from Password last set: Wed, 31 Jan 2007.
> BUT...Password CAN CHANGE time says: Mon, 01 Jan 2007.
> I do have Minimum Password Age set to 7 days, but shouldn't Password 
> can change show a date 7 days from Password last set? For some reason 
> pdbedit is not showing the correct information.
> If I run pdbedit --pwd-can-change-time="<today's date"> 
> --time-format="%Y-%m-%d", it will change the date to today, but will 
> still be counting 7 days from Password last set. Is there a ways to 
> alter Password last set?
>
> *Jason Baker
> */IT Coordinator/
>
>
> *Glastender Inc.*
> 5400 North Michigan Road
> Saginaw, Michigan 48604 USA
> 800.748.0423
> Phone: 989.752.4275 ext. 228
> Fax: 989.752.4444
> www.glastender.com <http://www.glastender.com>
>
>
>
> On 1/31/2007 10:47 AM, Jason Baker wrote:
>> I have a samba PDC set up and configured. I have been doing tests and 
>> everything was working fine. I was able to set  "User must change 
>> password" to today's date and it would prompt the user that their 
>> password has expired when logging into windows xp. I could then enter 
>> a new password and be on my way. Now when I set the password to "User 
>> must change password", when I enter the new password twice I get:
>>
>>    The password on this account cannot be changed at this time.
>>
>> I'm not sure why it was working and now suddenly it isn't. Any thoughts?

More information about the samba mailing list