[Samba] User and Password expiry

Neil nwilson123 at gmail.com
Mon Jan 12 02:15:56 MST 2015

Hi guys,

I'm battling to understand how the Samba4 user password expiry seems
to tie in together and was hoping this could be clarified by someone
for me please?

Currently I have the following Samba4 domain policies in place...

[root at headoffice ~]# samba-tool domain passwordsettings show
Password informations for domain 'DC=abc-ho,DC=local'
Password complexity: on
Store plaintext passwords: off
Password history length: 12
Minimum password length: 8
Minimum password age (days): 1
Maximum password age (days): 60

If I search for an account on the command line, the following attributes show...

ldapsearch -x -H "ldap://" -b "dc=abc-ho,dc=local" -D
"blabla at abc-ho.local" -w mypass sAMAccountName=hr
# extended LDIF
# LDAPv3
# base <dc=abc-ho,dc=local> with scope subtree
# filter: sAMAccountName=hr
# requesting: ALL
# hr, Users, abc-ho.local
dn: CN=hr,CN=Users,DC=abc-ho,DC=local
cn: hr
instanceType: 4
whenCreated: 20140819154552.0Z
uSNCreated: 4452
name: hr
objectGUID:: 9yP2bYYXoUCCpl1Hk7fEww==
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 513
logonCount: 0
sAMAccountName: hr
sAMAccountType: 805306368
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=abc-ho,DC=local
homeDirectory: \\headoffice\hr
homeDrive: Z:
scriptPath: hr.bat
accountExpires: 137919572470000000
logonHours:: ////////////////////////////
userAccountControl: 512
description: Head Office HR
uidNumber: 1129
objectClass: top
objectClass: posixAccount
objectClass: person
objectClass: organizationalPerson
objectClass: user
unixHomeDirectory: /home/hr
loginShell: /bin/false
gidNumber: 513
msSFU30NisDomain: abc-ho
whenChanged: 20150102054825.0Z
uSNChanged: 74252
pwdLastSet: 130646513050000000
distinguishedName: CN=hr,CN=Users,DC=abc-ho,DC=local

If I then look through the "AD Domain Users and Groups" utility under
the "Account" tab the password is set to expire on the 17th of January
2038 (which I presume came from when the accounts were imported off an
old Samba3 server)

Surely if I've set the domain policy of 60 day expiry, this should
override the pre-existing account expiry? I'm fairly certain this
account has existed for more than 60 days since the policy was

I'm running sernet-samba-ad-4.1.12-9.el6.x86_64

Please shout if you have any questions.

Thanks, any help is appreciated.


Neil Wilson.

More information about the samba mailing list