Forcing Password Change

Elrond elrond at samba.org
Tue Aug 1 17:51:34 GMT 2000


Hi,

Well, password-change forcing wasn't requested for a long
time (to be honest, I don't remember any request).

And it isn't currently supported in any form by samba (not
even by TNG).

I could find out how to do it for nt-clients (I've got an
nt-pdc and clients to trace this stuff, if realy needed).
But since I don't have any 9x, I can't trace this and I
don't know anything about the 9x-stuff in samba.
I even don't know, if 9x supports this.

    Elrond


On Wed, Aug 02, 2000 at 01:44:29AM +1000, Anthony Plastino wrote:
> Hi all,
> 
> I can't seem to search the archives (for a while) and have looked through
> several months of posts in those archives I _can_ get access to and I
> haven't seen a mention of forcing password changes.  Nor is there any sort
> of reference in the manual or any other documentation I can get my hands on.
> 
> I have a client that needs to be able to force users to change their
> password at regular intervals.  In a pure NT or Pure *nix environment this
> is possible.  However, it seems to be impossible in their  current
> situation:
> 
> '98 workstations, samba is quasi domain controller and WINS server, NIS used
> in part of the network and a separate system (non NIS) for
> SMTP/POP3/calendaring and a CVS server (zero NT !!  :)  ).
> 
> When users are added into the system they get assigned a password by a
> sysadmin. There are four distinct login IDs per user (POP3, NIS, samba, CVS)
> as well as the Windows password.  To date, there is no way to allow for
> non-repudiation, and that is a serious problem from my point of view--at
> least one other person in the client's company knows anyone's password and
> can masquerade as that user.
> 
> Simply trusting that a user will change their password is not enough, they
> won't unless they are forced to.
> 
> I believe that I have a mechanism (set of scripts + SSH) that will interact
> with samba to synchronize all of the systems when a user makes the change
> from her control panel ( the reasons for not moving completely to NIS or
> LDAP
> are numerous).
> 
> Can someone point me to a source for forcing these users to change their
> passwords?  How about adding an "acceptable use" banner to the login screen?
> Forcing "good" (also read strong) password construction?
> 
> I wish that there was a viable alternative to windows, and having these
> particular tools at hand would be most beneficial.
> 
> Thanks in advance,
> 
> Tony Plastino
> anthonyp at esociety.com
> 
> =====================================
> A. R. Plastino III
> Network and Systems Security Engineer
> eSociety
> http://www.eSociety.com


More information about the samba-ntdom mailing list