[Samba] Password Expiration when using LDAP

Buchan Milne bgmilne at cae.co.za
Mon Aug 5 06:41:03 GMT 2002

> Message: 9
> Date: Sat, 3 Aug 2002 04:11:30 -0700 (PDT)
> From: "Hesham S. Ahmed" <zlinux2002 at yahoo.com>
> To: Samba <samba at lists.samba.org>
> Subject: [Samba] Password Expiration when using LDAP
> Hi,
> We are planning to move all of our win2k server
> (currenty around 50!) alongwith AD to Linux, we are
> planning to use LDAP based samba domain controllers
> for authentication and file/print serving. We are
> doing a pilot and things are fine till now, just one
> simple problem, what should we do with our password
> policy, we have three restrictions relating passwords
> minimum password length

Not only length, but if you use something like this in your 

password   required     /lib/security/pam_cracklib.so retry=3 minlen=x 
dcredit=y  ucredit=z

You can get more than what you want (including dictionary checking). 
This is of course only if you have pam password change = yes in your 
smb.conf (which you will probably want if you want to keep your unix and 
samba passwords in your LDAP database in sync, and thus have a pam_ldap 
entry in for password in your /etc/pam.d/samba or included via pam_stack).

> password expiration

You can expire them, but they don't seem to unexpire. You can just set 
pwdMustChange 0.

> password history (so users cant reuse old password for
> some time)

I don't think this is currently possible.
> AFAIK samba 2.2.5 PDC doesn't support any of these. I
> was thinking if there is any way to implement these
> restrictions at LDAP level, I mean adding a few
> attributes stroring password change dates and checking
> for expiration interval by using maybe a cron job that
> checks the no. of days elapsed.... or should I rather
> wait?

Password history should probably be handled by pam_ldap, but that would 
only wok if you're syncing unix and samba passwords in LDAP.

It seems password expiry is broken in samba though ...

I am not sure exactly how the password expiry works, but I think it 
should be something like this (using bash for clarity):

pwdMustChange=$(ldapsearch -x "(uid=%u)" pwdMustChange -LL |awk 
'/pwdMustChange/ {print $2}')
pwdLastSet=$(ldapsearch -x "(uid=%u)" pwdLastSet -LL |awk '/pwdLastSet/ 
{print $2}')
let pwdAge=`date +%s`-$pwdLastSet
if [ $pwdAge -ge $pwdMustChange ]; then

That way you only ever have to write password ages when you change a 
password (and you're writing anyway for the password), and there's no 
need for cron jobs to update password change times etc.

But this doesn't quite seem to work. It seems that if pwdMustChange is 
2147483647, then the password isn't expired, if it it anything else, it 
is expired.

It would be nice to at least get this functionality  working for 2.2.6 
.... to the point where you only get a "You password expires today" if 
$pwdAge-pwdMustChage<=1 day

> Does HEAD supports these features, my company wouldn't
> mind using HEAD in production!!! as most of our
> business is dependent on Lotus Domino which is in no
> way dependent on NT PDC functionality.

Not sure.

|----------------Registered Linux User #182071-----------------|
Buchan Milne                Mechanical Engineer, Network Manager
Cellphone * Work            +27 82 472 2231 * +27 21 8828820x121
Stellenbosch Automotive Engineering         http://www.cae.co.za
GPG Key                   http://ranger.dnsalias.com/bgmilne.asc
1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7

More information about the samba mailing list