Forcing Password Change

James B Curry jbcurry at hline.localhealth.net
Tue Aug 22 18:36:20 GMT 2000


Tony -

Saw your posting on the SambaNTDom list server, and am in the same boat.

On Wed, Aug 02, 2000 at 01:44:29AM +1000, Anthony Plastino wrote:
> I can't seem to search the archives (for a while) and have looked
> through several months of posts in those archives I _can_ get access
> to and I haven't seen a mention of forcing password changes.  Nor is
> there any sort of reference in the manual or any other documentation
> I can get my hands on.

Ditto.  I think the reason that we can't find documentation is because
the feature doesn't exist.  The Samba experts I have been in contact
with have puzzled looks on their e-mail faces. :Z

I have been told to wait for Samba 2.1 - specifically for LDAP support
to save the day. How helpful :( 

> I have a client that needs to be able to force users to change their
> password at regular intervals.  In a pure NT or Pure *nix environment
> this is possible.  However, it seems to be impossible in their
> current situation:
.
<SNIP>
.
> Simply trusting that a user will change their password is not enough,
> they won't unless they are forced to.

That's exactly the problem we're dealing with.  I think the solution is
to give them a "nuisance" incentive.  An example would be: having a cron
script frequently monitor whether the entry in the password file has
been changed within the desired timeframe for each user, and, if not,
automatically modify the smb.conf file to include "invalid users = (list
of delinquent users)" for each user/share you wish to restrict.  When
the user changes his/her password, the cron script will (eventually)
notice and restore the rights.
This may seem messy, but it's the only solution I've been able to come
up with.
 
> I believe that I have a mechanism (set of scripts + SSH) that will
> interact with samba to synchronize all of the systems when a user
> makes the change from her control panel ( the reasons for not moving
> completely to NIS or LDAP are numerous).

Have you looked at PAM?
ftp://ftp.netexpress.net/pub/pam
I'm honestly not sure whether or not this would be helpful for your
scenario.

You probably already know that the smbpasswd and passwd files can be
synchronized from the Samba side by using "unix password sync = yes" in
the smb.conf.  This will update the Unix password whenever the user
changes their Samba password from the Win9x client.  It does not work
the other way around, however, without something like PAM.

I speculate that, even if the Unix password is updated via Samba, it
could trigger PAM to update the passwords in any other password files
you have configured PAM for.

This is the extent of my knowledge on this subject.  But it's worth
looking at.

> Can someone point me to a source for forcing these users to change
> their passwords?

Wish I could, but I'm clueless.  If you find one, please let me know!!!

> How about adding an "acceptable use" banner to the login screen?
> Forcing "good" (also read strong) password construction?

The "acceptable use" banner can be accomplished with the Windows System
Policy Editor.  A global policy file can be placed on your Domain
Controller so that when a user logs on to the network, it downloads and
applies the policies to their PC.  One of the System Policies you can
set is "Logon Banner", where you can require a custom banner to be
displayed prior to log on.  (Note that it would not occur on the very
first log on for that PC, as the policy has not been downloaded yet, but
would work for every successive logon until the policy is changed.)

Their are 3 other useful System Policies related to passwords: 
disabling password caching, minimum password length, & required use of
an alphanumeric password.  I have not seen a setting for good password
syntax, however.

O'Reilly (www.oreilly.com) has a useful book called "Windows System
Policy Editor".  It just hit the stands in July, and is very helpful for
tightening up Windows clients.

>
> I wish that there was a viable alternative to windows, and having
> these particular tools at hand would be most beneficial.

Hoped there's something here you can use.  If you find a solution to the
forced password issue, please please please pass it on to me..




More information about the samba-ntdom mailing list