[Samba] Problems with password policy in Samba 3.0.4

Jonathan Johnson jon at sutinen.com
Tue May 11 22:53:00 GMT 2004


Have an issue with password policy in Samba 3.0.4 with tdbsam password
backend on RedHat 8.0. This issue was observed with an up-to-date
Windows XP client, NT's SRVTOOLS on Windows 2000.

I can set password policy (expiration, length, etc.) using usrmgr.exe
from the Windows NT Server Tools. After setting policy, when I execute
'pdbedit -Lv someuser', it does not display the correct "Password Must
Change" UNTIL the user's password is changed, either with smbpasswd or
CTRL-ALT-DEL on the user's workstation.

For example, using usrmgr.exe, I set policy that passwords must expire
in 90 days. I unchecked "Password Never Expires" for the user in
question. When I did 'pdbedit -Lv username', it still showed that the
expiration was Mon Jan 18, 2038. Upon changing the password using
CTRL-ALT-DEL from the user's XP workstation, the password was
successfully changed. Executing 'pdbedit -Lv username' now displays the
correct expiration, 90 days from now.

Likewise, if I set "Password Never Expires" (in usrmgr.exe) for this
user, the pdbedit still displays a password expiration 90 days from
now.

I have not tested to see if the password will expire when policy
demands if the wrong date is displayed in pdbedit.

Another question: is the password expiration date relative to the
system date/time of the Samba server or of the Windows client?

--Jon Johnson
Sutinen Consulting, Inc.



More information about the samba mailing list