[Samba] Forcing Users to change passwords.

Rauno Tuul rauno.tuul at haigekassa.ee
Thu Dec 11 14:28:51 GMT 2003


Hi,

Samba-3 with LDAP backend is capable in this. I'm using it and it works.
All you have to do, is to use LDAP and set proper account policies:

$ pdbedit -P "bad lockout attempt" -C 5
(after 5 wrong password, user account will be locked out - samba sets
password hashes to ***NOPASSWORD*** and user is unable to logon).

$ pdbedit -P "min password length" -C 9

# password age 90 days
$ pdbedit -P "maximum password age" -C 7776000
Samba takes age in seconds, so 60*60*24*90, is what you need.
Remember, that the user has to change his/her password from workstation
once, then policy takes effect. Another way is to manually change users
"sambaPwdMustChange" value to "0", so user is forced to change password on
next logon. After password change, new "sambaPwdMustChange" will be set,
with timestamp 90 days forward.

$ pdbedit -P "password history" -C 3
Doesn't work. Andrew said, it isn't implemented yet. Samba doesn't store
password history... I don't know how it should be done, but it would be very
nice to have it.

regards,

 Rauno Tuul

> On Dec 10, 2003, at 8:28 AM, Ross McInnes (Systems) wrote:
>
> > Recently we were audited and as part of that they looked at
> our systems
> > and policies etc and produced a report.
> >
> > As part of that report they mentioned about forcing users to change
> > thier
> > passwords every 90 days or so.
> > They also mentioned about disabling accounts after 3 login attempts.
> >
> > Im pretty sure both can be done on NT, but id rather stick
> with rh and
> > samba thanks ever so much.
> > Can samba does these things? even if its a tinkering kind of job?


More information about the samba mailing list