[Samba] Modifying password expiry dates

Damian Gerow damian at sentex.net
Wed Oct 1 15:34:09 GMT 2003

Thus spake Andrew Bartlett (abartlet at samba.org) [01/10/03 06:18]:
> > I've just found out that Samba (rather correctly) implements a nice and low
> > password expiry date through the tdbsam backend, and I believe the "maximum
> > password age" value.
> > 
> > However, I can't, for the life of me, actually /set/ this thing.  I've tried
> > this:
> > 
> >     # pdbedit -u <username> -r -P "maximum password age" -C 100
> If you got the syntax right, this would set the maximum password age
> 'policy' to 100 seconds.   There is no way to set the 'expiry time' for
> a particular password.

Unfortunately, I didn't have the syntax right.  I was approaching it from
the per-user perspective, when it's actually the per-site perspective.  So
we dropped the '-u <username>', and all is fine.

As well, the documentation led me to believe that the password age policy
was measured in days, not seconds.  Which would explain the very odd
consequences of setting it to 100...

> > We're running Samba 3.0b3, if that makes a difference.
> It does - if you upgrade to 3.0.0 release, and delete the
> account_policy.tdb, you will get no password expiry by default.  Then
> you can reset the policy to whatever you like (hint: pdbedit -P "maximum
> password age -C 1000000 ), and then change all the password that are now
> expiring.
> For the timebeing, the ldapsam backend remains the best for allowing
> arbitary control of these details.

Unfortunately, until I can cleanly import our userbase into LDAP (I'm an
LDAP weenie still), I can't do it.  I've tried a couple of times now, and
been about 95% successful, so I'll try again next time I get the chance.
That's why we're using TDB.

More information about the samba mailing list