[Samba] password expiration
Jim Morris
Jim at Morris-World.com
Wed Dec 4 04:29:00 GMT 2002
On Tuesday, December 3, 2002, at 01:46 PM, <dan at essensys.com> wrote:
> 1) Does Samba now fully support password expiration? (I can get it to
> pop
> up a message on the windows client that the password is about to
> expire, but
> it keeps letting me log on)
Samba does not directly support password expiration (at this time
anyway). It indirectly can support it via PAM on Linux, Solaris or
other PAM enabled systems. In these cases, by setting 'obey pam
restrictions = yes' in your smb.conf file, you can have Samba obey any
expiration settings on the user accounts, which you have setup in the
Unix password database.
That said, my experience in implementing this for a large site recently
is that you will NOT get any sort of password expiration dialog at the
Windows clients. What happens is that you either can login, or you
cannot. Once the password has expired, you can no longer logon to the
domain or the Samba server. No explanation is given - it is as if you
keyed in a bad password.
> 2) How do I get it to change password from the "password is expiring"
> dialog? (I can change the password from the "change password" button in
> windows, but when I say I want to change it from the "password about to
> expire" message, I aways get "can't change password because domain is
> unavailable"
I think I addressed this already - Samba is not what displays this
dialog on the Windows client.
The solution I ultimately implemented in order to meet a new 60-day
password expiration policy was to implement a web page which is invoked
by the Windows logon script if the user is within the 'warning' period
configured in the Unix password database. 7 days for example. During
that period, a web page will be invoked by the logon script, telling
the user their password is about to expire in x days, and giving them a
link to a URL on the Samba server itself, where they can change their
password.
I guess maybe I could put something together like a HOWTO on this topic
if it sounds useful to others. It took a few days to peice together a
solution....
--
Jim Morris (Jim at Morris-World.com)
More information about the samba
mailing list