Password expiry in Samba?

Andrew Bartlett abartlet at
Mon Oct 29 03:06:03 GMT 2001

Kimmo Akkanen wrote:
> >>In the smbpasswd file, can someone tell me what the last field in each
> >>line means? This is the field that begins with "LCT-". I'm trying to
> >>generate each line from the smb crypt perl module and I need to know what
> >>to put there.
> > LCT == Last Change Time. It's the time in seconds since 1970 when
> > the password was last changed.
> > Jeremy.
> Correct me if I'm wrong, but this seems to give an easy
> way to implement "password expiry" or such parameter to
> Samba? Couldn't Samba just check this "LCT" from smbpassword
> and notify the user if it's more than what's given at smb.conf?
> This could perhaps be done manually now, but would be
> a nifty feature to have straight from smb.conf.
> Btw, Samba 2.2.2 is an excellent product - stable as a rock! =)
> Thanks!

There are two ways this can be done at the moment:

In HEAD, passwords expire every 21 days, unless the 'this account does
not expire' option  is set (which is the default).  By the time HEAD
becomes 3.0 there should be a sane way this can be controlled from

In Samba 2.2 you can use PAM (compile --with-pam) for this.  Keep your
PAM and Samba passwords in sync with the 'unix password sync' and 'pam
password change' options, and then you can enable 'obey pam
restrictions' to get password expiry - in the same way you get it for
SSH logins, for example.

Andrew Bartlett

Andrew Bartlett                                 abartlet at
Samba Team member, Build Farm maintainer        abartlet at
Student Network Administrator, Hawker College   abartlet at

More information about the samba mailing list