[Samba] Password Expiration
Jim Morris
jim at morris-world.com
Wed Mar 20 13:12:44 GMT 2002
On Wed, 2002-03-20 at 14:49, Andrew Bartlett wrote:
> Incorrect. When 'obey pam restrictions = yes' Samba will also honer
> PAM's account and session controls for encrypted passwords.
Hmmm. If this is right, then we need to get the documentation updated.
The current smb.conf man page states:
obey pam restrictions (G)
When Samba 2.2 is configured to enable PAM support
(i.e. --with-pam), this parameter will control
whether or not Samba should obey PAM's account and
session management directives. The default behavior
is to use PAM for clear text authentication only
and to ignore any account or session management.
Note that Samba always ignores PAM for authentica-
tion in the case of encrypt passwords = yes . The
reason is that PAM modules cannot support the chal-
lenge/response authentication mechanism needed in
the presence of SMB password encryption.
Default: obey pam restrictions = no
Note the statement about ignoring PAM when the 'encrypt passwords'
setting is turned on, as will be the case for a Samba PDC.
> > The other information I have found in my research is that Windows 95/98
> > clients apparently do not handle password expiration well. I.e. they
> > keep logging into the domain until the password expires, and then just
> > cannot login anymore.
>
> This is much better in HEAD.
Hmmm. I can pull the HEAD version from CVS and try - but prefer not to
release HEAD into a production environment. Any idea what release HEAD
is currently destined for? 2.2.4 maybe?
> Password expiration is always a difficult area.
>
> Hope this helps,
Thanks!
--
/-------------------------------------\
| Jim Morris | jim at morris-world.com |
\-------------------------------------/
More information about the samba
mailing list