[Samba] period password change problem

[Tony Earnshaw]

tor, 14.04.2005 kl. 15.03 skrev boka:

> I use samba (3.0.7) with ldap backend.
> 
> I have installed above system some time ago. During our migration from 
> netware to samba i had to disable period password change and do not 
> remeber what i have "clicked" :-/
> 
> What parameters should be "on" to enable this functionality ?

Things that you can't find in 'man smb.conf' or the SWAT help (the same)
usually aren't available. Sometimes they are, but undocumented.

In this case, this is policy and a Windows thing. As far as XP goes, one
uses mmc to change policy. This has a snap-in facility to enable what
you're looking for.

HOWEVER. As the Samba doco says, you can't normally use mmc to construct
policies.

HOWEVER. A German firm has produced the Nitrobit Group Policy Editor
which, for a fee (license per workstation, for schools at least, is dead
cheap) makes it possible to edit the *GROUP* snapin module, store it on
netlogon and read it in (and execute it) during logon.

HOWEVER, the password stuff is not in the group module, it's in the
Security Templates module, so Nitrobit ignores it.

So that's a dead loss.

Now, big breath (as the doctor said; answer: "yeth, and I'm only
thixthteen"):

The ldapsam backend provides the following attributes, which should be
there in tdbsam too:

sambaPasswordHistory
sambaPwdCanChange
sambaPwdMustChange
sambaPwdLastSet

It doesn't have any other means of storing extended (Windows) password
parameters (min. length, complexity etc.).

As far as LDAP goes, it gives the possibility od adding attributes in
the passwordPolicy objectclass from ns-pwd-policy.schema. But similar
would have to be added to other backends (tdbsam, MySQL, whatever).

How does one set the attributes that are already  available in the
ldapsam backend?

--Tonni

-- 
Nothing sucksseeds like a pigeon without a beak ...

mail: tonye at billy.demon.nl
http://www.billy.demon.nl
 
They love us, don't they, They feed us, won't they ...