[Samba] Password policy for user-managed passwords

Philippe LeCavalier support at plecavalier.com
Sun Jul 18 13:56:49 UTC 2021

Thank you Rowland. I appreciate you taking the time.

On Sat, Jul 17, 2021, 11:49 Rowland Penny via samba <samba at lists.samba.org>

> On Sat, 2021-07-17 at 11:16 -0400, Philippe LeCavalier via samba wrote:
> > Anyone else?
> There are several things in play here, there is the default domain
> password expiry, which can be shown by running:
> samba-tool domain passwordsettings show
> You can force a user to change their password by resetting it with:
> samba-tool user setpassword User1 --newpassword=passw0rd --must-change-
> at-next-login

> This implies I have to set a password that I would provide to them before
> they can set a new one if I'm reading that correctly? How would I apply
> that domain wide?

> There are a couple of attributes that need changing, userAccountControl
> and accountExpires
> If 'accountExpires' isn't set, then the password will expire on the day
> shown by the first samba-tool command above. A value of 0 or
> 9223372036854775807 indicates that the account never expires.
> You can set the password expiry with:
> samba-tool user setexpiry

> Yes. This is the setting I typically set to 0.
> Add '--help' to the above command for more info.
> Rowland

> I'm still uncertain how I transition smoothly. If I set the password to
> expire after 1 day will they be prompted to change it or will their account
> be disabled per the wording for that option? If the first users to change
> their password change it within a few hours but the others take a week
> won't the ones that change it be forced to change every day untill the
> slowest tell me they've completed the task and I can change the policy to
> 60 or 90?

Also, you mentioned 'userAccountControl' needed changing but you didn't
> elaborate.

More information about the samba mailing list