[Samba] password aging

Tue Mar 4 19:12:56 GMT 2003

Still no luck.
I set 'obey pam restrictions = yes' and 'pam password change yes', I
already had the 'unix password sync = yes'.
I can see entries in the log like this :

Mar 4 13:13:42 servername samba(pam_unix)[12225]: session opened for user
username by (uid=0)
Mar 4 13:14:37 servername samba(pam_unix)[12225]: session closed for users
username

So I'm assuming samba is working with pam.  I have also successfully
changed my user password via the client.  I have edited /etc/shadow to
expire my password in 1 day.  when I log into the machine via ssh I get the
messages saying my password is about to expire, but when I log onto the PC
(which has joined the domain) I don't get the popup message.  If my
password does expire on linux/samba, I get locked out of the domain without
receiving any message on the PC. (This happened to me when my password
expired yesterday).

I have samba and pam implemented, do I need to implement something else?

Should I try implementing OpenLDAP?  I don't want to implement an alpha
version of samba 3.0 since this is a production environment and I can't
risk having users locked out.

Is there somewhere else I can look to get documentation about this?

Thank you,

Joseph Morin
Dominion Diagnostics

             Andrew Bartlett                                               
             <abartlet at samba.o                                             
             rg>                                                        To 
                                       joe.morin at dominiondiagnostics.com   
             02/19/2003 06:12                                           cc 
             PM                        samba at lists.samba.org               
                                                                   Subject 
                                       Re: [Samba] password aging          

On Thu, 2003-02-20 at 07:11, joe.morin at dominiondiagnostics.com wrote:
>
>
>
>
> What are my options for implementing password aging using samba as my PDC
?
> I can set the users Linux password to expire, but it doesn't seem to
> propagate to their samba passwords.
> I absolutely need this functionality.  Is OpenLDAP the answer?

If you set 'obey pam restrictions = yes' and setup the correct PAM
configuration files, then Samba will also honer this.  You should also
set 'unix password sync = yes' and 'pam password change yes' so that the
password changes update the PAM backend too.

Or move to Samba 3.0 (currently alpha) and use the pdb_ldap backend to
store your passwords, which fully supports password expiry, based on our
own 'pwdMustChange' attribute.

Andrew Bartlett

--
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
(See attached file: signature.asc)