[Samba] Misleading "Password can change" in pdbedit?

Josh Kelley joshkel at gmail.com
Wed Oct 10 17:47:22 GMT 2007

One of our users tried to change his password through Samba and was
told that he was unable to do so.  Samba logged the following error:

user john.doe does not have permissions to change password

I checked the Samba source code to see what this error meant, and I
found that it meant that the "password can change" time was set to the
maximum time allowed.  However, when I ran pdbedit to verify, it said
that the user could change his password whenever he wanted:

Password last set:    Mon, 03 Sep 2007 09:55:46 EDT
Password can change:  Mon, 03 Sep 2007 09:55:46 EDT

I investigated further by checking the user's LDAP entry directly and
by checking the source code for pdbedit and found that the user's
sambaPwdCanChange was 2147483647 (the max time allowed, meaning no
password change is permitted) and that pdbedit usually doesn't
actually use the sambaPwdCanChange attribute in displaying "Password
can change" and so may give no indication at all that password changes
are disabled for an account.

Is this a bug in pdbedit, or is it a misconfiguration or
misunderstanding on my part?

Thank you.

Josh Kelley

More information about the samba mailing list