[Samba] password expiration

Jim Morris Jim at Morris-World.com
Wed Dec 4 04:29:00 GMT 2002 

On Tuesday, December 3, 2002, at 01:46  PM, <dan at essensys.com> wrote:

> 1) Does Samba now fully support password expiration?  (I can get it to 
> pop
> up a message on the windows client that the password is about to 
> expire, but
> it keeps letting me log on)

Samba does not directly support password expiration (at this time 
anyway). It indirectly can support it via PAM on Linux, Solaris or 
other PAM enabled systems. In these cases, by setting 'obey pam 
restrictions = yes' in your smb.conf file, you can have Samba obey any 
expiration settings on the user accounts, which you have setup in the 
Unix password database.

That said, my experience in implementing this for a large site recently 
is that you will NOT get any sort of password expiration dialog at the 
Windows clients. What happens is that you either can login, or you 
cannot. Once the password has expired, you can no longer logon to the 
domain or the Samba server.  No explanation is given - it is as if you 
keyed in a bad password.

> 2) How do I get it to change password from the "password is expiring"
> dialog? (I can change the password from the "change password" button in
> windows, but when I say I want to change it from the "password about to
> expire" message, I aways get "can't change password because domain is
> unavailable"

I think I addressed this already - Samba is not what displays this 
dialog on the Windows client.

The solution I ultimately implemented in order to meet a new 60-day 
password expiration policy was to implement a web page which is invoked 
by the Windows logon script if the user is within the 'warning' period 
configured in the Unix password database.  7 days for example. During 
that period, a web page will be invoked by the logon script, telling 
the user their password is about to expire in x days, and giving them a 
link to a URL on the Samba server itself, where they can change their 
password.

I guess maybe I could put something together like a HOWTO on this topic 
if it sounds useful to others. It took a few days to peice together a 
solution....
  --
Jim Morris (Jim at Morris-World.com)

More information about the samba mailing list