[Samba] ShadowLastChange does not update

Carl Werner carl at beekmanbrothers.co.za
Wed Sep 30 02:49:00 MDT 2009

Hi Everyone,

I have a Samba 3.0.34 PDC setup with OpenLDAP 2.3.43 as backend on a 
Gentoo server. I also use LDAP for IMAP, SMTP and proxy authentication.

For some reason the shadowLastChange does not update when a user changes 
his/her password from Windows XP. The samba and unix passwords and also 
the samba "Password must change field" does change as required, it is 
only the ShadowLastChange that does not update. It does update when I 
run smbldap-passwd from command line and also through LDAP Account 
Manager. This causes the unix password on LDAP to expire before the 
Samba password has expired and then the user can not use his email or 
internet connection.

I have tried different combinations of the passwd settings in smb.conf, 

ldap password sync = yes

Also tried:
ldap password sync = yes
passwd program = /usr/sbin/smbldap-passwd -u %u
passwd chat = *New*password* %n\n *Re*ype*new*password* %n\n \

I also created my own script which calls smbldap-passwd and then 
manually updates ShadowLastChange. This worked fine from the command 
line but did not seem to work from Windows XP.

I have also given full access to all users on LDAP in case it was a 
permissions problem, but to no avail...

I have been battling with this problem for the last month. Hope someone 
can give me some pointers. Please let me know if i need to post any 
other info...


Carl Werner

More information about the samba mailing list