[Samba] Password expiration and documentation problems
Marco De Vitis
starless at spin.it
Sun Jan 8 22:35:21 GMT 2006
I'm using Samba 3.0.21a on Debian Sarge, tdbsam account backend.
I was playing around with pdbedit and the account control flags, and
noticed a different behaviour from what I expected: if the password for
a user has expired, and I set the "X" account flag for him (pdbedit -c
"[X]" username), I'd expect the system to never tell him about his
Instead, the only difference is this: without the X flag, the user is
forced to change his password, while when the X flag is active he is
warned that the password has expired, but he has the choice to ignore
the warning and continue using the old password; this happens at each
logon, so eventually changing the password is unavoidable anyway to get
rid of the warning.
Is this the correct behaviour?
In other words: is setting the expiration date far away in the future
the only way to make a "never-expiring" password? I hoped to be able to
do it by using the X flag...
BTW, my user accounts initially had a password expiration date set to
sometime in 1901 (this was automatically set, I don't know why), and
this worked like a "far away date", because their passwords never
expired. Looks like what I'm after, but how can I recreate it? pdbedit
does not seem to accept dates outside the 1970-2038 range.
While playing with this, I encountered some problems in the
documentation. The most important is an error (I believe) in the HOWTO:
at the end of the section about pdbedit
an example is made where "maximum password age" should be set to 90 days
and "minimum password age" to 7 days... but the commands shown set the
time to 90 and 7 seconds, respectively!
Then, I think the pdbedit man page should mention that, instead of using:
> pdbedit -u username <some options>
...you can use:
> pdbedit <some options> username
...which is IMHO more friendly. I only discovered it by looking at the
samples in the HOWTO.
Finally, when reading in the pdbedit manpage that this is a tool to
"manage user accounts", you would expect it to also be able to change
user passwords... but AFAIK is not, and you must use smbpasswd even when
you're not using the smbpasswd password backend. IMHO this should be
made explicit in the docs, both in the pdbedit and smbpasswd man pages.
More information about the samba