[Samba] password aging

joe.morin at dominiondiagnostics.com joe.morin at dominiondiagnostics.com
Tue Mar 4 19:12:56 GMT 2003

Still no luck.
I set 'obey pam restrictions = yes' and 'pam password change yes', I
already had the 'unix password sync = yes'.
I can see entries in the log like this :

Mar 4 13:13:42 servername samba(pam_unix)[12225]: session opened for user
username by (uid=0)
Mar 4 13:14:37 servername samba(pam_unix)[12225]: session closed for users

So I'm assuming samba is working with pam.  I have also successfully
changed my user password via the client.  I have edited /etc/shadow to
expire my password in 1 day.  when I log into the machine via ssh I get the
messages saying my password is about to expire, but when I log onto the PC
(which has joined the domain) I don't get the popup message.  If my
password does expire on linux/samba, I get locked out of the domain without
receiving any message on the PC. (This happened to me when my password
expired yesterday).

I have samba and pam implemented, do I need to implement something else?

Should I try implementing OpenLDAP?  I don't want to implement an alpha
version of samba 3.0 since this is a production environment and I can't
risk having users locked out.

Is there somewhere else I can look to get documentation about this?

Thank you,

Joseph Morin
Dominion Diagnostics

             Andrew Bartlett                                               
             <abartlet at samba.o                                             
             rg>                                                        To 
                                       joe.morin at dominiondiagnostics.com   
             02/19/2003 06:12                                           cc 
             PM                        samba at lists.samba.org               
                                       Re: [Samba] password aging          

On Thu, 2003-02-20 at 07:11, joe.morin at dominiondiagnostics.com wrote:
> What are my options for implementing password aging using samba as my PDC
> I can set the users Linux password to expire, but it doesn't seem to
> propagate to their samba passwords.
> I absolutely need this functionality.  Is OpenLDAP the answer?

If you set 'obey pam restrictions = yes' and setup the correct PAM
configuration files, then Samba will also honer this.  You should also
set 'unix password sync = yes' and 'pam password change yes' so that the
password changes update the PAM backend too.

Or move to Samba 3.0 (currently alpha) and use the pdb_ldap backend to
store your passwords, which fully supports password expiry, based on our
own 'pwdMustChange' attribute.

Andrew Bartlett

Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
(See attached file: signature.asc)

More information about the samba mailing list