Handling forced pwd changes

Brian Key Brian at fantasia.demon.co.uk
Sun May 14 18:52:50 GMT 2000 

Hi all,

Can anyone help?

An office has a RedHat Linux server running Samba 2.06 / 2.07
installed to provide local private and shared drives for Win95
users.
Samba is running as a local master browser for workgroup <dom-name>
on subnet a.b.c.d and provides a Win95 domain logon service for the
office staff using a central NT PDC for password validation.
The office PCs are set up for a standard MS networking domain logon
to <dom-name>.
A successful logon grants access to the local drives and the
resources made available by NT (an Exchange mail account and a drive
shared by the PDC).
There is no Linux or other user logon available.  Linux and Samba
are, and must remain, totally invisible to the users - so there
should be no problems caused by account password synchronisation.

In short, I have Samba running with security=domain just fine, as
near as I can tell.  It's currently working beautifully on 19
servers, each with around 30 users at 2-3 shared drives per user.
The client I'm contracting with and doing this work for is very
pleased with the results, as am I!

But - how do I now have Samba deal with the PDC requesting an NT
password change? This event is recorded in the Samba log as
NT_STATUS_PASSWORD_MUST_CHANGE.

At the moment all users accessing resources via Samba have had the
forced password change disabled on the relevant NT account so the
problem is suppressed.  It's workable like this because the users
are still able to change their NT password by using Windows' Control
Panel.
With the forced password change activated a user attempting to log
on correctly will just be shown the standard Microsoft Networking
"Domain logon failed" error dialog, followed by the initial domain
logon dialog again - so they can never log on.

However the client will soon want to reactivate forced password
changes, because this is how other accounts are set up in different
offices running Win95/NT Workstation, logging onto NT directly.
I can't find any references to dealing with a PDC forcing an NT
password change and wondered if I was missing something - quite
likely - or if someone out there had been down the same road and
would kindly point me in the right direction.


TIA
Brian

---------
Brian Key
brian at fantasia.demon.co.uk

More information about the samba mailing list