help with pwd can/must change LDAP attributes

Charles Owens owensc at enc.edu
Tue Jun 29 14:39:04 GMT 1999


I've got a PDC set up with the LDAP back end working fairly well.  Many
thanks to Ignacio Coupeau for posting his "recipe" which saved my butt
big time (see link at end).

Anyhow, one annoyance is that users always seem to have the "Can't
change password" and "Must change password at next logon" attributes set
(at least they's set when looking at accounts via usrmgr.exe).  The
actual effect is confusing:

   * When logging in, I'm told my password has expired, and prompted to
     change the password.
   * I can actually change the password! ...either in this dialog or the
     other usual means (at least the SMB-side of things... I'm having
     trouble with the UNIX password sync functionality)... this despite
     what is reported in usrmgr.exe.

So my biggest complaint is the prompting to change the password, which
happens at every logon.  It appears that the user can just click
'cancel' (and not change the password) and continue on with no ill
effects.  Still... it's annoying.

So... I've tried to play with the pwdCanChange and pwdMustChange
attributes from the LDAP schema.  I've not been able to come up with any
documentation on them.  I've dug through the samba/ldap logs and the
source (though I'm no C expert) and haven't found anything that works.
Something in the source suggested to me that setting pwdMustChange to
"-1" or "0" might do the trick...  I first thought that they were simply
booleans, but from the source I see that they are some kind of time
values.  This makes sense to me for pwdMustChange (an expiration time),
but not for pwdCanChange.

Can anyone explain how these attributes should work?  What are useful
values?  What will solve my particular dilema.

The "recipe":  http://us1.samba.org/listproc/samba-ntdom/4872.html

Thanks much,
---
-------------------------------------------------------------------------

  Charles N. Owens                               Email:  owensc at enc.edu
                                             http://www.enc.edu/~owensc
  Network & Systems Administrator
  Information Technology Services  "Outside of a dog, a book is a man's
  Eastern Nazarene College         best friend.  Inside of a dog it's
                                   too dark to read." - Groucho Marx
-------------------------------------------------------------------------





More information about the samba-ntdom mailing list