[Samba] Samba + LDAP + Password Expiry = Almost working...

Collins, Kevin KCollins at nesbittengineering.com
Wed Sep 17 14:52:17 GMT 2003

Thanks for the info...

I've got a "custom version" of 2.2.7a with your suggestions building right
now on a test machine.

I'm like you, I think this is a "bug" in the code and can not see any reason
for it to be doing this.  In fact, I think your suggestion about a smb.conf
parameter setting the number of days for a password to live is the proper
way to go.  But I don't know everything... :)


-----Original Message-----
From: Rauno Tuul [mailto:rauno.tuul at haigekassa.ee] 
Sent: Tuesday, September 16, 2003 3:07 PM
To: 'Collins, Kevin'
Cc: 'samba at lists.samba.org'
Subject: RE: [Samba] Samba + LDAP + Password Expiry = Almost working...


You almost got it... 

Samba 2 has a weird behaviour, when using LDAP and passwd program. When you
change the password from windows, thnings happen like this: 
1) samba reads all the user data from LDAP to memory (doesn't read
2) executes the "passwd program" to change userpassword.
I this point your script also sets the new "pwdMustChange" valus.
3) things get tricky here, when samba writes back all the data, he got from
LDAP earlier and changes password hashes.

So if your script changes the "pwdMustChange" value, samba puts it back as
it was before :P

Workaround is to modify pdb_ldap.c and teach samba not to write back
"pwdMustChange". It can be achieved with commenting out 2 lines.

When samba3 calculates new "pwdMustChange" based on policy. In samba2 you
must do it with scripts. btw, your perl script is way too complex.

I attached one my e-mail sent to samba-technical ages ago, where this trick
is described.

Best regards,

Rauno Tuul.

-----Original Message-----
From: Collins, Kevin [mailto:KCollins at nesbittengineering.com]

I've got a Samba 2.2.7a domain with an LDAP backend.  It's been working for
nearly 3 months now without much bother.

By the way: Great work and thanks for all of the effort!

I have been missing one minor thing from the setup since I moved away from
NT 4: Password Expiration.  In the past I have posted questions about this
on the list and I've gotten two answers:  "Wait for 3." or "Write your own
script to do it for you."  Well, I sorta went the second route.

By "sorta" I mean that I modified a pre-existing script to make it do what I
wanted it to.  What I did was this...I started with IDEALX's howto and
scripts to get things going.  I had Samba configured to use their
"smbldap-passwd.pl" script to modify passwords.  That worked, I could change
any Windows account password from Windows or the command line and indeed all
three passwords for that user are changed (Unix, LM and NT passwords).

I later discovered the LDAP entry "pwdMustChange" while looking at a user
account one day.  When I set this to a date inside of 14 days from today,
Windows begins to barks about "Password will expire in X days" - Great I
thought I found my solution.  But the default password change script
wouldn't modify this value., but I would prefer not to as they seem to work
so well. .................

More information about the samba mailing list