[Samba] Password policy for user-managed passwords

Rowland Penny rpenny at samba.org
Sun Jul 18 14:20:50 UTC 2021 

On Sun, 2021-07-18 at 09:56 -0400, Philippe LeCavalier wrote:
> 
> > 
> > You can force a user to change their password by resetting it with:
> > 
> > samba-tool user setpassword User1 --newpassword=passw0rd --must-
> > change-
> > at-next-login
> > This implies I have to set a password that I would provide to them
> > before they can set a new one if I'm reading that correctly? How
> > would I apply that domain wide?

I would only do this for individual users or new users. I suppose you
could write a script to do it, randomly create a password and use that,
the problem would be in getting the interim password to the user, but
you never know, someone may have an idea how to this.

> > There are a couple of attributes that need changing,
> > userAccountControl
> > and accountExpires
> > 
> > If 'accountExpires' isn't set, then the password will expire on the
> > day
> > shown by the first samba-tool command above. A value of 0 or
> > 9223372036854775807 indicates that the account never expires.
> > 
> > You can set the password expiry with:
> > samba-tool user setexpiry
> > Yes. This is the setting I typically set to 0.
> > 
> > Add '--help' to the above command for more info.
> > 
> > Rowland
> > I'm still uncertain how I transition smoothly. If I set the
> > password to expire after 1 day will they be prompted to change it
> > or will their account be disabled per the wording for that option? 

The 'prompting' is down to the display manager, it should prompt the
user to change their password, it should prompt well before the
password expires, so I wouldn't use 1 day.

> > If the first users to change their password change it within a few
> > hours but the others take a week won't the ones that change it be
> > forced to change every day untill the slowest tell me they've
> > completed the task and I can change the policy to 60 or 90?

It doesn't work that way, if you set expiry to 1 day, then that is when
the password will expire, so if the users do not change their passwords
before the end of the day, then any passwords not changed will expire
and those users will not be able login. You are correct about the users
having to change their passwords everyday, that is yet another reason
to not use 1 day.

> > Also, you mentioned 'userAccountControl' needed changing but you
> > didn't elaborate.

Sorry, if you use samba-tool to set a users expiry, then that attribute
is set for you. To understand 'userAccountControl', try reading this:
https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties

Rowland

More information about the samba mailing list