[Samba] Some hint reading password expiration data...

Marco Gaiarin gaio at sv.lnf.it
Tue Oct 24 16:37:09 UTC 2017

Mandi! Rowland Penny via samba
  In chel di` si favelave...

> The main problem here is that you are still looking at the problem from
> the NT perpective,

Seems obvious to me. I came from 10+ years of experience on Samba3 NT
domains, that indeed had excellent documentation and a more (for me)
UNIX-minded approach.

I was (ab)used at samba tools (smbpasswd, pdbedit, wbinfo, ...), and i
can see that many of them still work on AD mode.

Still, every tool do something a bit different of the others, and still
some things cannot be done now by this tools, or by samba-tool that i
suppose aim to substitute all of them.

I'm tring to understand, moving away from NT and jumping in AD. Sorry
for my messages, but it is very hard to search for some info without

> 'accountExpires' has nothing to do with when the password expires ;-)

I know. But in NT mode, samba (or was the smbldap-tools?) was used to
write in 'accountExpires' explicitly, so i'm asking about it.

> Setting 'userAccountControl' to 514, disables the account, it doesn't
> do anything to the password.

Again i know that. I was asking effectively if 'pdbedit' is still an
affordable tool to write account control in AD.

> The one you need to
> look at is 'pwdLastSet', this is used with 'maxPwdAge' to calculate
> when the password expires.

Ok, i've found that attribute, on the 'root' of the LDAP tree; but i
think, measurement unit apart, it is the same of:

	root at vdcsv1:~# samba-tool domain passwordsettings show | grep ^Maximum
	Maximum password age (days): 90


> The easiest way to find info on this subject is to remember that you
> are now using Active Directory and use this in an internet search,
> along with 'pwdlastSet' and 'maxPwdAge', don't mention Samba in the
> search.

Ok, good. But still i've not the answer of one of my question, indeed.

Password expiration are computed ''dynamically'' (now < pwdlastSet +
maxPwdAge), or the value of password expiration (pwdlastSet +
maxPwdAge) are saved (or accessible) somewhere?


dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

More information about the samba mailing list