[Samba] Password must change

Rowland penny rpenny at samba.org
Thu Apr 28 21:10:29 UTC 2016 

On 28/04/16 21:37, Carlos A. P. Cunha wrote:
>
> Sorry but I do not understand ....
> :-O
>
>
> Em 28-04-2016 16:55, Rowland penny escreveu:
>> On 28/04/16 20:30, Carlos A. P. Cunha wrote:
>>>
>>> What I want is to get definiri X user had the expiration date on a 
>>> date and Y user on another date, but this date I could set.
>>> The date when you arrive, you have to change this password.
>>>
>>> When I use the command
>>>
>>> samba-tool user setexpiry USER - noexpiry
>>>
>>> it change the "Password must change: Tuesday, 19 Jan 2038 01:14:07 GMT"
>>>
>>> I would like to do this, so that setting the date.
>>>
>>>
>>> Em 28-04-2016 16:15, Rowland penny escreveu:
>>>> On 28/04/16 19:49, Carlos A. P. Cunha wrote:
>>>>>
>>>>> Hello!
>>>>> I had looked at the options, and found nothing to what I want to 
>>>>> do ...
>>>>> Because of this, I tried alteranativas with "pdbedit".
>>>>>
>>>>> Any other option?
>>>>>
>>>>> Goodbye
>>>>>
>>>>>
>>>>> Em 28-04-2016 15:09, Rowland penny escreveu:
>>>>>> samba-tool domain passwordsettings --help
>>>>>
>>>>
>>>> OK, the users password must have expired, this means that the 
>>>> 'pwdLastSet' attribute will now contain '0', if you want to 
>>>> un-expire the password, you need to change this to '-1'. When the 
>>>> user next logs in, 'pwdLastSet' will get set to the current date/time.
>>>> You cannot set 'pwdLastSet' to anything other than '0' or '-1'
>>>>
>>>> Do you want to go to all the trouble of changing an attribute with 
>>>> ldb or similar, or do what I suggested earlier ?
>>>>
>>>> Rowland
>>>
>>
>> Ah that would be the 'UserAccountControl' attribute, your user will 
>> probably have 512 stored in this (normal account) add 65536 (don't 
>> expire password) to this and store the result (66048) in the attribute.
>>
>> Rowland
>>
>


OK, with Samba4 you cannot use a gpo to set when a users password 
expires, you have to use Samba-tool for this, you will also have to use 
samba-tool to change password complexity.

To make a user change their password, you need to change the 
'pwdLastSet' attribute in the users AD object to '0'

To stop a users password expiring you need to change the 
'UserAccountControl' attribute in the users AD object, this normally 
will contain '512' if the user is enabled and '514' if the user is 
disabled. To stop the password expiring you need to add '65536' to 
whatever is there now (unless, of course, it is already larger than 65536).

How you do this is up to you, you could use ldbmodify, ldapmodify, 
ldbedit or from ADUC.

See here for more info about UserAccountControl : 
https://support.microsoft.com/en-gb/kb/305144

Rowland

More information about the samba mailing list