[Samba] Password Expiration setting and manually adjusting the date

[Rowland Penny]

On Sat, 2022-06-11 at 12:38 -0400, Philippe LeCavalier via samba wrote:
> On Fri, Jun 10, 2022, 03:16 Rowland Penny via samba <
> samba at lists.samba.org>
> wrote:
> 
> > On Thu, 2022-06-09 at 17:24 -0400, Philippe LeCavalier via samba
> > wrote:
> > > Just bringing this back to the surface.
> > > 
> > 
> > I have reread this thread and I think this is normal :-)
> > 
> > Your user gets locked out because their password has expired.
> > You unlock the user and set their password expiration to three
> > days.
> > Your user changes the password but this does not effect the expiry.
> > After three days they get locked out again.
> > 
> > Rinse and repeat :-)
> > 
> > You are going about this the wrong way, you need to remind them
> > that
> > their password will expire before it does.
> > 
> > Rowland
> > They are aware it will expire in 30 just as they are aware it will
> > expire
> > after 3 (when I postpone it).
> 
> So you're confirming that changing a password does not change the
> date for
> which the password is set to expire? In other words the only
> automatic or
> systematic change of password is at the 90 day anniversary (it
> whatever
> password settings show, which in my case is 90). This means when the
> user
> gets locked and I unlock i also need to set the password to expire in
> 90
> not 3.

Possibly, I do not know how you are changing the password and setting
the three days grace. I would change the password and make the user
change it at next logon. If you are changing the password and then
setting the expiry to three days hence, then that expiry date is very
likely to be honoured. The only way to confirm this would be to examine
a users object in AD after you change the password and set the three
days grace and check for the contents of the 'maxPwdAge' attribute.

There is also a constructed attribute:
'msDS-UserPasswordExpiryTimeComputed'

Rowland