No subject


Mon Dec 1 12:27:21 GMT 2003


- the account is enabled until password expiry and I have no kind of =
notification about the expiration of password....
- then a nice day the password really expires and, instead of been =
forced to change it, the user is simply LOCKED OUT (account disabled)

Note that in UNIX the user is still active as I've set a long Interval =
beetwen pwd expiry and account locking !

The only functionality needed is a correct expiration / change-forcing =
behaviour from Win2K, so I don't want to use LDAP as i think Samba + PAM =
might be sufficient for this.

It seems there's something wrong (or simply limited) with PAM <-> Samba =
interaction when managing account restrictions.

So the final questions are :=20
1) Is it possible to make Samba force a password change request at =
client side during logon due to PAM account restrictions ?
2) If YES : where I've gone wrong ?
3) If NO : Is there a stable/production alternative for password expiry =
in Samba?

Many thanks in advance.

Sorry for my english.

Sauro Saltini

------=_NextPart_000_0011_01C2897F.3C166DF0
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2600.0" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>Hi, everybody.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>I've read many posts about forcing =
users to change=20
their passwords at logon time from windows clients, but still I can't =
make it=20
work.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>I've set up a Samba PDC with the latest =
stable=20
version (2.2.6) of samba and configured it to do Unix password syncing =
through=20
PAM.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Then I've set up Unix passwords with =
the right=20
aging parameters and all works fine in Unix (I've got logon messages =
about=20
password expiration and I'm forced to change password after expiration=20
time)</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>From a Win2K client I can't get it work =

:</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>- the account is enabled until password =
expiry and=20
I have no kind of notification about the expiration of =
password....</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>- then a nice day the password really =
expires and,=20
instead of been forced to change it, the user is simply LOCKED =
OUT&nbsp;(account=20
disabled)</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Note that in UNIX the user is still =
active as I've=20
set a long Interval beetwen pwd expiry and account locking =
!</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>The only functionality needed is a =
correct=20
expiration / change-forcing behaviour from Win2K, so I don't want to use =
LDAP as=20
i think Samba + PAM might be sufficient for this.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>It seems&nbsp;there's something wrong =
(or simply=20
limited) with PAM &lt;-&gt; Samba interaction when managing account=20
restrictions.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>So the final questions&nbsp;are : =
</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>1) Is it possible to&nbsp;make Samba =
force a=20
password change request at client side during logon due to PAM account=20
restrictions ?</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>2) If YES : where I've gone wrong =
?</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>3) If NO :&nbsp;Is there =
a&nbsp;stable/production=20
alternative for password expiry in Samba?</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Many thanks in advance.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Sorry for my english.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Sauro =
Saltini</FONT></DIV></BODY></HTML>

------=_NextPart_000_0011_01C2897F.3C166DF0--




More information about the samba mailing list