[Samba] Posted this question once already -- no response. Password expiry problem

Adam Tauno Williams awilliam at whitemice.org
Tue Jan 22 09:54:32 MST 2013

On Tue, 2013-01-15 at 17:53 +0000, ray klassen wrote:
> Solved this problem 
> <gentle rant>
> This is precisely the sort of question that should be answerable on this list. 
>as no one run into this before? 
> I've brought it up twice here and several times on the irc channel with no response, but the solution was simple enough
> </gentle rant>
> anyway here it is. So that it goes in the mailing list and others can find it.
> /etc/smbldap-tools/smbldap.conf includes a line that says 
> defaultMaxPasswordAge="45" 

FYI, I've never used smbldap-tools.

> This affects the sambaPwdMustChange date stamp attribute in the ldap
> user record at the time smbldap-passwd is run.
> sambaPwdMustChange appears to trump the user "X" flag and the maximum
> password age system policy
> Maybe that's the nature of the samba 3.x beast. 

Yes, that matches my recollection [I could be wrong].  The password
policy just controlled the calculation of sambaPwdMustChange.  I recall
just going in sometimes and manually setting sambaPwdMustChange to some
value like "12" in order to force a user to change there password on
their next logon, and moving the value way up to avoid expiration.

The precedent of one value over the other was never expressly documented
AFAIK. I *assumed*, and it seemed to be true, that the more specific
value [sambaPwdMustChange] would win.

> Maybe it has to be that way if you are using LDAP. 
> Now that Samba 4 is out probably no one will want to comment on that.

:)  I suggest you upgrade yesterday.  Samba4 is a much better PDC that
Samba3 ever thought about being on the brightest most optimistic spring

Adam Tauno Williams  GPG D95ED383
Systems Administrator, Python Developer, LPI / NCLA

More information about the samba mailing list