[Samba] Password expiration and documentation problems

Marco De Vitis starless at spin.it
Sun Jan 8 22:35:21 GMT 2006 

Hello,
I'm using Samba 3.0.21a on Debian Sarge, tdbsam account backend.

I was playing around with pdbedit and the account control flags, and 
noticed a different behaviour from what I expected: if the password for 
a user has expired, and I set the "X" account flag for him (pdbedit -c 
"[X]" username), I'd expect the system to never tell him about his 
expired password.
Instead, the only difference is this: without the X flag, the user is 
forced to change his password, while when the X flag is active he is 
warned that the password has expired, but he has the choice to ignore 
the warning and continue using the old password; this happens at each 
logon, so eventually changing the password is unavoidable anyway to get 
rid of the warning.

Is this the correct behaviour?
In other words: is setting the expiration date far away in the future 
the only way to make a "never-expiring" password? I hoped to be able to 
do it by using the X flag...

BTW, my user accounts initially had a password expiration date set to 
sometime in 1901 (this was automatically set, I don't know why), and 
this worked like a "far away date", because their passwords never 
expired. Looks like what I'm after, but how can I recreate it? pdbedit 
does not seem to accept dates outside the 1970-2038 range.

While playing with this, I encountered some problems in the 
documentation. The most important is an error (I believe) in the HOWTO: 
at the end of the section about pdbedit 
(<http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/passdb.html#pdbeditthing>) 
an example is made where "maximum password age" should be set to 90 days 
and "minimum password age" to 7 days... but the commands shown set the 
time to 90 and 7 seconds, respectively!

Then, I think the pdbedit man page should mention that, instead of using:

 >   pdbedit -u username <some options>

...you can use:

 >   pdbedit <some options> username

...which is IMHO more friendly. I only discovered it by looking at the 
samples in the HOWTO.

Finally, when reading in the pdbedit manpage that this is a tool to 
"manage user accounts", you would expect it to also be able to change 
user passwords... but AFAIK is not, and you must use smbpasswd even when 
you're not using the smbpasswd password backend. IMHO this should be 
made explicit in the docs, both in the pdbedit and smbpasswd man pages.

Thanks.

-- 
Ciao,
   Marco.

More information about the samba mailing list