[Samba] Password policy for user-managed passwords

Jonathon Reinhart jonathon.reinhart at gmail.com
Thu Jul 15 02:08:51 UTC 2021

On Wed, Jul 14, 2021 at 12:09 PM Philippe LeCavalier via samba
<samba at lists.samba.org> wrote:
> Hi,
> I'm moving away from managing passwords for my clients.

Better late than never. A sysadmin should never be responsible for
setting passwords for users.

> I'm just trying to
> understand the specifics around expiration and how the user get prompted
> with an ADDC and how the simplest approach would look like.

If your clients are logging into domain-joined Windows workstations,
then you have nothing to worry about. Windows will force the user to
change their password before/when it expires. The same goes for most
configurations of Linux workstations joined to the domain, also.

If your client workstations are not domain-joined, you should really
consider doing that.

If you have an Active Directory domain, but your users aren't using
interactive login, then what are you using the domain for? Just Samba
share auth?

If you really don't want to use interactive login, but still want to
expire user passwords, I can offer a couple of tools that I wrote:

1) Diress (Directory Self-Service, pronounced "duress") -- A very
simple web app allowing users to to change their password from a web

2) ADMan (Active Directory Management) -- Automated AD administrative
tasks. One of the things it can do is email users when their passwords
are about to expire.

Good luck,

More information about the samba mailing list