Forcing Password Change

Jason Jensen jasonjensen at home.com
Tue Aug 22 21:09:23 GMT 2000


You both are forgetting one thing, these machines have the ability to run NT
scripts.. use this ability.. Nt scripts are VERY powerful i think you have
overlooked them, i am certian that you could make a user change his
password, or at the very least bring a message up telling him password
policy.
----- Original Message -----
From: "James B Curry" <jbcurry at hline.localhealth.net>
To: <samba-ntdom at samba.org>; <anthonyp at esociety.com>
Sent: Tuesday, August 22, 2000 1:36 PM
Subject: Re: Forcing Password Change


> Tony -
>
> Saw your posting on the SambaNTDom list server, and am in the same boat.
>
> On Wed, Aug 02, 2000 at 01:44:29AM +1000, Anthony Plastino wrote:
> > I can't seem to search the archives (for a while) and have looked
> > through several months of posts in those archives I _can_ get access
> > to and I haven't seen a mention of forcing password changes.  Nor is
> > there any sort of reference in the manual or any other documentation
> > I can get my hands on.
>
> Ditto.  I think the reason that we can't find documentation is because
> the feature doesn't exist.  The Samba experts I have been in contact
> with have puzzled looks on their e-mail faces. :Z
>
> I have been told to wait for Samba 2.1 - specifically for LDAP support
> to save the day. How helpful :(
>
> > I have a client that needs to be able to force users to change their
> > password at regular intervals.  In a pure NT or Pure *nix environment
> > this is possible.  However, it seems to be impossible in their
> > current situation:
> .
> <SNIP>
> .
> > Simply trusting that a user will change their password is not enough,
> > they won't unless they are forced to.
>
> That's exactly the problem we're dealing with.  I think the solution is
> to give them a "nuisance" incentive.  An example would be: having a cron
> script frequently monitor whether the entry in the password file has
> been changed within the desired timeframe for each user, and, if not,
> automatically modify the smb.conf file to include "invalid users = (list
> of delinquent users)" for each user/share you wish to restrict.  When
> the user changes his/her password, the cron script will (eventually)
> notice and restore the rights.
> This may seem messy, but it's the only solution I've been able to come
> up with.
>
> > I believe that I have a mechanism (set of scripts + SSH) that will
> > interact with samba to synchronize all of the systems when a user
> > makes the change from her control panel ( the reasons for not moving
> > completely to NIS or LDAP are numerous).
>
> Have you looked at PAM?
> ftp://ftp.netexpress.net/pub/pam
> I'm honestly not sure whether or not this would be helpful for your
> scenario.
>
> You probably already know that the smbpasswd and passwd files can be
> synchronized from the Samba side by using "unix password sync = yes" in
> the smb.conf.  This will update the Unix password whenever the user
> changes their Samba password from the Win9x client.  It does not work
> the other way around, however, without something like PAM.
>
> I speculate that, even if the Unix password is updated via Samba, it
> could trigger PAM to update the passwords in any other password files
> you have configured PAM for.
>
> This is the extent of my knowledge on this subject.  But it's worth
> looking at.
>
> > Can someone point me to a source for forcing these users to change
> > their passwords?
>
> Wish I could, but I'm clueless.  If you find one, please let me know!!!
>
> > How about adding an "acceptable use" banner to the login screen?
> > Forcing "good" (also read strong) password construction?
>
> The "acceptable use" banner can be accomplished with the Windows System
> Policy Editor.  A global policy file can be placed on your Domain
> Controller so that when a user logs on to the network, it downloads and
> applies the policies to their PC.  One of the System Policies you can
> set is "Logon Banner", where you can require a custom banner to be
> displayed prior to log on.  (Note that it would not occur on the very
> first log on for that PC, as the policy has not been downloaded yet, but
> would work for every successive logon until the policy is changed.)
>
> Their are 3 other useful System Policies related to passwords:
> disabling password caching, minimum password length, & required use of
> an alphanumeric password.  I have not seen a setting for good password
> syntax, however.
>
> O'Reilly (www.oreilly.com) has a useful book called "Windows System
> Policy Editor".  It just hit the stands in July, and is very helpful for
> tightening up Windows clients.
>
> >
> > I wish that there was a viable alternative to windows, and having
> > these particular tools at hand would be most beneficial.
>
> Hoped there's something here you can use.  If you find a solution to the
> forced password issue, please please please pass it on to me..
>





More information about the samba-ntdom mailing list