[Samba] samba-ldap and password expiration

Buchan Milne bgmilne at cae.co.za
Fri Jun 27 11:45:43 GMT 2003

Hash: SHA1

> Message: 11
> Date: Thu, 26 Jun 2003 15:20:14 +0200 (CEST)
> From: " J?r?me Tournier " <jerome.tournier at idealx.com>
> Subject: [Samba] samba-ldap and password expiration
> To: <samba at lists.samba.org>
> Message-ID:
> 	<36533. at webmail.idealx.com>
> Content-Type: text/plain; charset=iso-8859-1
> Hello every body,
> i am using samba (2.2.8a) with ldap support. In the samba.schema,
> there are special attributes relatives to the user passord:
> pwdMustChange, pwdCanChange, kickoffTime, logoffTime, logonTime and
> pwdLastSet.
> All the samba's documentations i can found described those attributes
> as "currently unused", execpt the last one that represent the time
> modification since 1970.
> But what do the others attributes are for ? Can they be used and
> how ?
> For example, i found that pwdMustChange can be used to force user to
> change his password. It seems that if i set pwdMustChange to epoch
> time+20, the user will have to change his password in 20s. And again
> in 20s ... So can i force a user to change his password in n secondes,
> but more later ?

The problem is that samba doesn't unexpire passwords, and it is
difficult to unexpire them via a script, since samba reads all the
attributes before a password change, runs which ever password change
mechanism you have if you are using password synchronisation (either pam
or passwd program), and then makes its changes in LDAP (overwriting any
samba attributes that may have been changed by passwd program).

It may be possible to store the password change times in a seperate
file, and post-process them via a cron job, but I haven't had time to
implement this.

AFAIK, samba3 will fully support password age/changing restrictions.


- --
|--------------Another happy Mandrake Club member--------------|
Buchan Milne                Mechanical Engineer, Network Manager
Cellphone * Work            +27 82 472 2231 * +27 21 8828820x202
Stellenbosch Automotive Engineering         http://www.cae.co.za
GPG Key                   http://ranger.dnsalias.com/bgmilne.asc
1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


Please click on http://www.cae.co.za/disclaimer.htm to read our
e-mail disclaimer or send an e-mail to info at cae.co.za for a copy.

More information about the samba mailing list