[Samba] Samba+LDAP PDC - A few questions.

NSC - NetworkServiceCenter nsc at fh-stpoelten.ac.at
Tue Jun 3 08:57:43 GMT 2003

hi kevin,

> 1). How do I/Can I script the installation of a generic password into
> these accounts?  I'm looking to put some common password in for all
> users and then allow the users to change it once they log into the new
> server/domain.  I don't see a method of doing so with
> 'smbldap-passwd.pl'.
write your own shellscript that uses smbldap-useradd.pl, add the features
you need and use this script to create user!

> 2). I used the following command to add all of my users to the LDAP
> Directory:
> 'smbldap-useradd.pl -a -m -A 1 -G <group1>,<group2> >username<'
> This successfully created the users, their home folders and placed them
> in their groups, but it did not change the value for "pwdCanChange" in
> the LDAP directory, as shown by 'smbldap-usershow.pl'. I want the users
> to be able to change their own passwords - at any time - is there
> something I did wrong when creating the user account?
sorry, but i don't know smbldap-useradd.pl - i wrote my own admintools!

> 3). I want every user's password to expire on a 90-cycle.  I think I
> see a slot in the LDAP directory for such an option - pwdMustChange,
> but by default is set to a huge number - 2147483647.  First, what
> number does that represent?  Seconds? Minutes? Days? Months?  I've
> watched it for the past week and it hasn't changed.  Which leads me to
> my next question, will changing this number to "O" actually cause the
> respective password to expire?  Will setting this number to "90" (or
> what ever representation needed) allow a 90 day cycle?  If not, what
> must I do to have this 90 day cycle?
this number is a unix timestamp - the seconds since 1.1.1970!
the solution is: enable passwordsync and as program use a shellscript that
creates the timestamp (90 days are 7776000 seconds) and insert this with
ldapmodify into the attr pwdMustChange of the user!
-> let DAYINFUTURE=$(/bin/date +%s)+7776000

> 4). By default, there are fields in the directory for "displayName" and
> "description" that are both set to "System User".  Can I change
> either/both (at least "description") to what ever I want while creating
> the user account?  I couldn't find a switch in 'smbldap-useradd.pl' to
> allow that.  I guess I could script it using 'smbldap-usermod.pl', but
> would prefer it to be done as one step.
sorry, but once again: i don't know smbldap-useradd.pl - i wrote my own
admintools and they do what i want ;-)

i hope it was a little help
thomas reisenbichler

More information about the samba mailing list