[Samba] samba + ldap + pam_mkhomedir ?

Buchan Milne bgmilne at cae.co.za
Tue May 6 13:36:37 GMT 2003

Hash: SHA1

Rauno Tuul wrote:
>>-----Original Message-----
>>From: Buchan Milne [mailto:bgmilne at cae.co.za]
>>Sent: 06. mai 2003. a. 16:05
>>To: samba at lists.samba.org
>>Subject: Re: [Samba] samba + ldap + pam_mkhomedir ?
>>>BTW, I would apprectiate your comments on this document then:
> There is a little mistake in your document.

Well, it's not really a mistake, it's a purposeful omission ... since it
was too complicated an issue, I have played with this before:

[bgmilne at hercules bgmilne]$ ldapsearch  -x "(uid=bgmilne)" pwdMustChange
- -LLL
dn: uid=bgmilne,ou=People,dc=cae,dc=co,dc=za
pwdMustChange: 0

But there is no easy way to get it working now AFAICS.

> Samba's LDAP schema contains a parameter: pwdMustChange
> samba 2.2.* is capable to read the value from there and warn users: "Your
> password will expire in 14 days". and so on.
> But the only way to set proper value there, is to do it manually.

But I think this is the wrong approach, since as far as I understand it
(I will have to look into some of my old mail, I tracked this issue down
before to see how it works), the pwdMustChange value shouldn't need to
be set when the user sets their password, only pwdLastSet. Samba then
compares the current date to pwdLastSet+pwdMustChange, to determine if
it needs to prompt the user to change the password.

But, we will have the same problem, since Samba (at least last time I
checked) does not update pwdLastSet, and will probably also overwrite it
if you set it via smbldaptools or some other password change script.

> Problem is that samba doesn't use any configurable value "password expire
> time" and changes the default value to year ~2030.
> I've written about it to samba-techinal list, but noone responded to it.
> I added my old e-mail about it.

Thanks. I think all that needs to happen is:
1)Samba should re-read ldap data after running password program
2)Samba should update pwdLastSet when a password has changed.

Maybe I will test with your script and a slightly different patch to
pdb_ldap.c ...

In the meantime, I may provide an example script that will check users
shadowexpire values, and mail them (provided their LDAP account has a
mail attribute) to change their password.

- --
|--------------Another happy Mandrake Club member--------------|
Buchan Milne                Mechanical Engineer, Network Manager
Cellphone * Work            +27 82 472 2231 * +27 21 8828820x121
Stellenbosch Automotive Engineering         http://www.cae.co.za
GPG Key                   http://ranger.dnsalias.com/bgmilne.asc
1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the samba mailing list