[Samba] Forcing Users to change passwords.

tbey at tbey.com tbey at tbey.com
Thu Dec 11 16:13:38 GMT 2003


Hello,

This is great information.  I have been using tbdsam as a backend and I
have been unable to get the pdbedit -P "bad lockout attempt" -C XXX to be
enforced.  When I set the attribute it seems that I can try to login as
many times as I want.  Any help out there?


> Hi,
>
> Samba-3 with LDAP backend is capable in this. I'm using it and it works.
> All you have to do, is to use LDAP and set proper account policies:
>
> $ pdbedit -P "bad lockout attempt" -C 5
> (after 5 wrong password, user account will be locked out - samba sets
> password hashes to ***NOPASSWORD*** and user is unable to logon).
>
> $ pdbedit -P "min password length" -C 9
>
> # password age 90 days
> $ pdbedit -P "maximum password age" -C 7776000
> Samba takes age in seconds, so 60*60*24*90, is what you need.
> Remember, that the user has to change his/her password from workstation
> once, then policy takes effect. Another way is to manually change users
> "sambaPwdMustChange" value to "0", so user is forced to change password on
> next logon. After password change, new "sambaPwdMustChange" will be set,
> with timestamp 90 days forward.
>
> $ pdbedit -P "password history" -C 3
> Doesn't work. Andrew said, it isn't implemented yet. Samba doesn't store
> password history... I don't know how it should be done, but it would be
> very
> nice to have it.
>
> regards,
>
>  Rauno Tuul
>
>> On Dec 10, 2003, at 8:28 AM, Ross McInnes (Systems) wrote:
>>
>> > Recently we were audited and as part of that they looked at
>> our systems
>> > and policies etc and produced a report.
>> >
>> > As part of that report they mentioned about forcing users to change
>> > thier
>> > passwords every 90 days or so.
>> > They also mentioned about disabling accounts after 3 login attempts.
>> >
>> > Im pretty sure both can be done on NT, but id rather stick
>> with rh and
>> > samba thanks ever so much.
>> > Can samba does these things? even if its a tinkering kind of job?
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
>



More information about the samba mailing list