[Samba] password aging

joe.morin at dominiondiagnostics.com joe.morin at dominiondiagnostics.com
Wed Mar 5 22:37:28 GMT 2003






Sorry for the confusion, I'm using Win2k clients, not Win9X.

Joseph Morin
Dominion Diagnostics



                                                                           
             Andrew Bartlett                                               
             <abartlet at samba.o                                             
             rg>                                                        To 
                                       joe.morin at dominiondiagnostics.com   
             03/05/2003 04:59                                           cc 
             PM                        Andrew Bartlett                     
                                       <abartlet at samba.org>,               
                                       samba at lists.samba.org               
                                                                   Subject 
                                       Re: [Samba] password aging          
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           




On Wed, 2003-03-05 at 06:12, joe.morin at dominiondiagnostics.com wrote:
>
>
>
>
>
> Still no luck.
> I set 'obey pam restrictions = yes' and 'pam password change yes', I
> already had the 'unix password sync = yes'.
> I can see entries in the log like this :
>
> Mar 4 13:13:42 servername samba(pam_unix)[12225]: session opened for user
> username by (uid=0)
> Mar 4 13:14:37 servername samba(pam_unix)[12225]: session closed for
users
> username
>
> So I'm assuming samba is working with pam.  I have also successfully
> changed my user password via the client.  I have edited /etc/shadow to
> expire my password in 1 day.  when I log into the machine via ssh I get
the
> messages saying my password is about to expire, but when I log onto the
PC
> (which has joined the domain) I don't get the popup message.  If my
> password does expire on linux/samba, I get locked out of the domain
without
> receiving any message on the PC. (This happened to me when my password
> expired yesterday).
>
> I have samba and pam implemented, do I need to implement something else?

Don't use Win9X as a 'domain' client.   Samba 2.2. does not support
sensible error codes to Win9X for this behavior.  Samba 3.0 does,
however (due to a complete auth rewrite).

> Should I try implementing OpenLDAP?  I don't want to implement an alpha
> version of samba 3.0 since this is a production environment and I can't
> risk having users locked out.
>
> Is there somewhere else I can look to get documentation about this?
>
> Thank you,
>
>
> Joseph Morin
> Dominion Diagnostics
>
>
>
>

>              Andrew Bartlett

>              <abartlet at samba.o

>              rg>
To
>                                        joe.morin at dominiondiagnostics.com

>              02/19/2003 06:12
cc
>              PM                        samba at lists.samba.org

>
Subject
>                                        Re: [Samba] password aging

>

>

>

>

>

>

>
>
>
>
> On Thu, 2003-02-20 at 07:11, joe.morin at dominiondiagnostics.com wrote:
> >
> >
> >
> >
> > What are my options for implementing password aging using samba as my
PDC
> ?
> > I can set the users Linux password to expire, but it doesn't seem to
> > propagate to their samba passwords.
> > I absolutely need this functionality.  Is OpenLDAP the answer?
>
> If you set 'obey pam restrictions = yes' and setup the correct PAM
> configuration files, then Samba will also honer this.  You should also
> set 'unix password sync = yes' and 'pam password change yes' so that the
> password changes update the PAM backend too.
>
> Or move to Samba 3.0 (currently alpha) and use the pdb_ldap backend to
> store your passwords, which fully supports password expiry, based on our
> own 'pwdMustChange' attribute.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett                                 abartlet at pcug.org.au
> Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
> Student Network Administrator, Hawker College   abartlet at hawkerc.net
> http://samba.org     http://build.samba.org     http://hawkerc.net
> (See attached file: signature.asc)
--
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
(See attached file: signature.asc)


More information about the samba mailing list