samba4 and password expiration

Andrew Bartlett abartlet at samba.org
Mon Sep 29 03:28:44 GMT 2008 

On Sun, 2008-09-28 at 23:25 -0400, Scott Lovenberg wrote:
> Andrew Bartlett wrote: 
> > On Thu, 2008-09-25 at 23:40 +0400, Matthieu Patou wrote:
> >   
> > > On 25.09.2008 21:20, Andrew Bartlett wrote:
> > >     
> > > > On Thu, 2008-09-25 at 21:14 +0400, Matthieu Patou wrote:
> > > >       
> > > > > Dear all,
> > > > > 
> > > > > It seems that the current password expiration for samba4 is around 42
> > > > > days is there a way to change this value (parameter in smb.conf, ldb
> > > > > file or even recompilation) ?
> > > > >         
> > > > This would be by setting the maxPwdAge in the domain DN, or the
> > > >       
> > > Exactly ... found it, it can be modified with ldbedit -H users.ldb and 
> > > it must be in tenth of microsecond and negative number.
> > > 
> > >     
> > > > UF_DONT_EXPIRE_PASSWD flag onto the user (using the setup/setexpiry)
> > > > tool.
> > > >       
> > > I didn't know about this but I know that it is possible through the AD 
> > > manager of Microsoft (as spotted in the Samba Wiki).
> > > 
> > > It seems that with a Windows 2003/2008 server you can do this through 
> > > global policy editor, is it plan to do something that either replace 
> > > this tool or (as it is still usefull for defining policies for the 
> > > workstations) to read the files into var/locks/policies and replicate 
> > > the change into samba's ldap ?
> > >     
> > 
> > One of the big tasks remaining is to create a tool capable of applying
> > the Group Policy definitions to Samba itself, rather than just to
> > clients.
> > 
> > It would be good to also have a non-Microsoft Group Policy editor.
> You mean a front end strictly to the DS?  Or an editor that abstracts
> Group Policy from Samba semantics, but only supports options common to
> both AD and Samba4?
> 
> I've messed about with Apache Directory Studio a bit.  It's Eclipse
> based, Apache v2.0 licensed (not sure if that's a deal breaker right
> out of the gates), extensible and cross platform (java).  Could be a
> starting point.  Just an idea.

No, we have plenty of tools we can point folks at to edit the directory,
what we need is tools that understand the mix of pointers in LDAP and
the binary blobs on the netlogon share.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20080928/275d1743/attachment.bin

More information about the samba-technical mailing list