[Samba] password aging in Samba 3

[John H Terpstra]

On Tuesday 21 June 2005 09:26, Kurt Bechstein wrote:
> > > The next question is about password aging.  I have a client that would
> > > like to have the user have to reset their password after 60 days.  I've
> > > seen some inklings online of being able to do with pdbedit, but the
> > > documentation seems non-existent at best on how to do this.  Maybe this
> > > is also doable with a policy setup.  I haven't actually tried that one
> > > yet so if that works just let me know and I'll dig into that.  Thanks
> > > in advance.
> >
> > You can use either the NT4 Domain User Manager to manage all aspects of
> > your user and group accounts, or you can use pdbedit from the command
> > line.
>
> I've tried using the NT4 Domain Manager in conjunction with the tdbsam
> backed but haven't had any luck as far as password aging goes.  It
> doesn't seem to be making any changes at least as far pdbedit -L -v
> goes.  Also, I've tried to change the max password age via pdbedit -P
> "max password age" -C ????.  However, according to M$'s documentation
> this value is stored from 1-999 but this doesn't look like what the tdb
> file is storing.  What type of parameter do I need to pass to pdbedit to
> enforce a 60 day password expiration?  I'm doing this on Red Hat
> enterprise 4 by the way.  Thanks in advance.

The maximum password age is stored in seconds. 1 day == 86400 seconds
The useful range that matches NT4 capabilities is 86400 - 86313600 sec (999 
days). When you set this to never expire in NT4 it sets to 4294967295 sec.

So, 60 days = 5184000


- John T.
-- 
John H Terpstra
Samba-Team Member
Phone: +1 (650) 580-8668

Author:
The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
Samba-3 by Example, ISBN: 0131472216
Hardening Linux, ISBN: 0072254971
Other books in production.