[Samba] unexpected password expiration

mj lists at merit.unu.edu
Fri Sep 17 10:54:43 UTC 2021


Regarding password age / expiration, we have configured samba like:

> root at dadc:~# samba-tool domain passwordsettings show
> Password information for domain 'DC=samdom,DC=company,DC=com'
> Password complexity: on
> Store plaintext passwords: off
> Password history length: 24
> Minimum password length: 14
> Minimum password age (days): 0
> Maximum password age (days): 0
> Account lockout duration (mins): 30
> Account lockout threshold (attempts): 10
> Reset account lockout after (mins): 60
> root at addc:~# samba-tool domain passwordsettings pso list
> No PSOs are present, or you don't have permission to view them.

 From the above, we assume that our passwords will not expire. (and yes, 
that is a bad idea, but it's the way it currently is)

However, a tool that we use (LAM) is reporting to two of our users that 
their passwords are about to expire, and they need to set a new one.

LAM logs this:
> 2021-09-17 12:28:22 Debug Checking CN=user1,CN=Users,DC=samdom,DC=company,DC=com
> 2021-09-17 12:28:22 Debug Last password change on 2021-08-10
> 2021-09-17 12:28:22 Debug Number of days before warning 7
> 2021-09-17 12:28:22 Debug Password expires on 2021-09-22
> 2021-09-17 12:28:22 Debug Password notification on 2021-09-15 12:55
> 2021-09-17 12:28:22 Info Not sending email to CN=user1,CN=Users,DC=samdom,DC=company,DC=com because of dry run.

My question to the samba experts here is:

Is there another way password expiration settings can be configured in 
samba/AD, or should we look at the tool in use (LAM) and is most likely 
something going wrong with the calculations there?

Thanks, and a nice weekend to everybody!


More information about the samba mailing list