[Samba] Password Expiration
Jim Morris
jim at morris-world.com
Wed Mar 20 07:38:08 GMT 2002
Hi All.
I want to confirm something I have been researching. I have a site that
I installed a Linux/Samba server for several years ago. After years of
successful use, this location is having a number of new security
policies rammed down their throat by their corporate headquarters. One
of the new policies is that ALL passwords must expire after 60 days.
My research in the mailing list archives and on the Internet seems to
indicate that Samba 2.2.x can be configured to obey the PAM
authentication rules - which would imply following any password
expiration rules established for the system via the PAM configuration.
However, based on the Samba 2.2.3a smb.conf man page, it seems that this
requires you to disable the use of encrypted passwords. Unfortunately,
this would mean going around to ALL PC's on large network (100+ users)
and performing the plain-text password registry hack.
The other information I have found in my research is that Windows 95/98
clients apparently do not handle password expiration well. I.e. they
keep logging into the domain until the password expires, and then just
cannot login anymore.
Can anyone confirm or refute these facts for me? Has anyone
successfully setup password expiration on a Samba server that serves a
mix of Windows NT, Windows 2000 and Windows 98 clients (90% Windows 98
in this case).
I have thought of all sorts of ways to let PC users know to change their
passwords - via some type of program that runs from the login scripts,
via a web page on the Samba server, etc. In reality I think they are
better off NOT expiring the passwords, as that will tend to force users
to choose poor passwords in the long run. It's not my call though - I
am just basically an unpaid technical consultant in this case...
Thanks!
--
/-------------------------------------\
| Jim Morris | jim at morris-world.com |
\-------------------------------------/
More information about the samba
mailing list