[Samba] Samba-tool password expiration and service accounts

Brandon Nishan bnishan at herricktechlabs.com
Thu Oct 13 14:06:58 UTC 2016

Thanks for your help, I really appreciate it. I have gone back and now see 
that using "--noexpiry"
sets both the account and password to not expire. I had originally
misunderstood the command, thinking it set only the account to not expire.


-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny
via samba
Sent: Thursday, October 13, 2016 3:39 AM
To: samba at lists.samba.org
Subject: Re: [Samba] Samba-tool password expiration and service accounts

On Wed, 12 Oct 2016 21:16:02 +0000
Brandon Nishan via samba <samba at lists.samba.org> wrote:

> Initially I had set password expiration to be 6 months using
> samba-tool, and used ADUC to tick the "password never expires" box on
> specific service accounts that I wanted to keep with the same
> password. What I found was that even with this box checked, the
> account's passwords did expire after 6 months.
> So it seems that the password settings configured by samba-tool apply
> to all accounts on the domain, including the ones I intended to use as
> service accounts.  Either all account passwords expire after X days,
> or all accounts never expire (if you set the max age to 0). My
> questions:
> - Am I correct in the above? If so, do you have any ideas on how to
> preserve security with password rotation for the users while also
> allowing service accounts (password never expires) to exist?
> -If I am not correct, does this indicate a problem with my Samba
> installation or am I missing a setting to make the service accounts
> immune to samba-tool password rules?

Have you tried reading the output of 'samba-tool user setexpiry --help' ?


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list