[Samba] pdbedit and password expiration

Jim McDonough jmcd at themcdonoughs.org
Thu May 31 01:16:58 GMT 2007

On 5/30/07, lists at trcintl.com <lists at trcintl.com> wrote:
> 1.)  Does the --pwd-must-change-time switch of pdbedit work in 3.0.25a or
> is that left over from a previous version?

The change is that it was not the "correct" way of setting password
expiration.  It is supposed to be dynamically calculated from the policy.
This way, when the policy changes, users with longer password expiration
aren't getting grandfathered in.  We no longer support setting this

2.)  If it is supposed to work, can someone provide an example of how they
> have used it that has worked for them?

Instead, use the "net sam policy" command (it contains help text), and the
policy name is "maximum password age".   You can alternatively use pdbedit
-P "maximum password age" to view and additionally -C <seconds> to set the
policy.  You should immediately see that it has changed.  You cannot choose
"now" as a policy, or everyone's password would always been expired, even
immediately after set.  You should probably use the "net sam policy"
command, as we're trying to move away from the pdbedit command.

3.)  If it doesn't work, how can I expire a password for a particular user
> at a given date, or even expire it "now"?

To expire it "now" for a given user, you can issue "net sam set

Jim McDonough
Samba Team
jmcd at samba dot org

More information about the samba mailing list