[Samba] tdbsam allow users to change password without notice!!!

Hubert Choma hubert.ch at wp.pl
Wed Apr 2 13:20:58 GMT 2008

I use tdbsam .
I use pdbedit -P "password hisotry" -C 3
pdbedit -P "min password length" -C 5
         -P "maximum password age" -C 7776000 (90 days)
         -P "minimum password age" -C 6912000 (80 days)
         -P "user must logon to change password" -C 2 (on)
So my passwords need to be changed every 90 days and user can change it 
after 80 days .

I use this policies 6months and everything was ok. Windows xp users 
after logon was informed that they must chang password for xx days and 
they can change it after 80 days.
But after changing time from winter to summer pdbedit work very strange!!

Today  I have discover terrible thing. pdbedit -Lv show me that every 
user changed password but windows doesn't show any notice about password 
change !!! The worst think is that password history doesn't worked and 
allow all users to write down the same password!!

Nobody even know that change his own password because windows doesnt' 
show any notice, any window !!! They normally login as everyday do but  
pdbedit "changed password last set" entry to today date !!!
 Pdbedit -Lv shows that password was set eg today and next time they can 
change passord for 80 days!!!! But password is the same !!!

 What should I do to force samba and pdbedit to change passwords correct 
and force to admonish password history !!!??
Unix username:        fujitsu
NT username:
Account Flags:        [U          ]
User SID:             S-1-5-21-2794518228-724393910-221713885-2114
Primary Group SID:    S-1-5-21-2794518228-724393910-221713885-513

Logon time:           0
Logoff time:          never
Kickoff time:         0
Password last set:    Śr, 02 IV 2008 12:52:38 CEST
Password can change:  So, 21 VI 2008 12:52:38 CEST
Password must change: Wt, 01 VII 2008 12:52:38 CEST
Last bad password   : 0
Bad password count  : 0
Logon hours         : 000000807F00807F00807F00807F00807F00000000

My smb.conf
        workgroup = geodezja
        server string = Samba Server %v
        interfaces = eth2 lo
        bind interfaces only = Yes
;       encrypt passwords = Yes
        update encrypted = Yes
;       client plaintext auth = Yes
        log level = 2 vfs:3 auth:2 passdb:3
        log file = /var/log/samba/%U.%m.log
;       max log size = 5000
        socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192
        printer admin = root, at domadm
        load printers = yes
        printing = cups
        cups options = raw

        logon script = %G.CMD
        logon path =
        logon home =
        domain logons = yes
        os level = 128
        preferred master = yes
        domain master = yes
;       local master = yes
        remote browse sync = none
        remote announce = none
        dns proxy = No
        wins support = yes
        name resolve order = wins bcast host lmhosts
        hosts allow =
;       unix password sync = no
        security = user
;       password level = 0
;       null passwords = no
;       deadtime = 0
;       map to guest = never
        create mask = 0777
        nt acl support = no
        time server = yes
;       enable privileges = yes
        passdb backend = tdbsam
        username map = /etc/samba/smbusers

Cracow Screen Festival (CSF) Kraków, 2-4 maja 2008
Koncerty oraz sztuka videografii w przestrzeni miejskiej!
Bryan Ferry, Underworld, The Raveonettes, Mattafix

More information about the samba mailing list