[Samba] Samba + LDAP + Password Expiry = Almost working...

Rauno Tuul rauno.tuul at haigekassa.ee
Tue Sep 16 19:07:15 GMT 2003


You almost got it... 

Samba 2 has a weird behaviour, when using LDAP and passwd program. When you
change the password from windows, thnings happen like this: 
1) samba reads all the user data from LDAP to memory (doesn't read
2) executes the "passwd program" to change userpassword.
I this point your script also sets the new "pwdMustChange" valus.
3) things get tricky here, when samba writes back all the data, he got from
LDAP earlier and changes password hashes.

So if your script changes the "pwdMustChange" value, samba puts it back as
it was before :P

Workaround is to modify pdb_ldap.c and teach samba not to write back
"pwdMustChange". It can be achieved with commenting out 2 lines.

When samba3 calculates new "pwdMustChange" based on policy. In samba2 you
must do it with scripts.
btw, your perl script is way too complex.

I attached one my e-mail sent to samba-technical ages ago, where this trick
is described.

Best regards,

Rauno Tuul.

-----Original Message-----
From: Collins, Kevin [mailto:KCollins at nesbittengineering.com]

I've got a Samba 2.2.7a domain with an LDAP backend.  It's been working for
nearly 3 months now without much bother.

By the way: Great work and thanks for all of the effort!

I have been missing one minor thing from the setup since I moved away from
NT 4: Password Expiration.  In the past I have posted questions about this
on the list and I've gotten two answers:  "Wait for 3." or "Write your own
script to do it for you."  Well, I sorta went the second route.

By "sorta" I mean that I modified a pre-existing script to make it do what I
wanted it to.  What I did was this...I started with IDEALX's howto and
scripts to get things going.  I had Samba configured to use their
"smbldap-passwd.pl" script to modify passwords.  That worked, I could change
any Windows account password from Windows or the command line and indeed all
three passwords for that user are changed (Unix, LM and NT passwords).

I later discovered the LDAP entry "pwdMustChange" while looking at a user
account one day.  When I set this to a date inside of 14 days from today,
Windows begins to barks about "Password will expire in X days" - Great I
thought I found my solution.  But the default password change script
wouldn't modify this value., but I would prefer not to as they seem to
work so well.

More information about the samba mailing list