[Samba] Password Expiration setting and manually adjusting the date
Philippe LeCavalier
support at plecavalier.com
Sat Jun 11 19:53:46 UTC 2022
On Sat, Jun 11, 2022 at 12:54 PM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Sat, 2022-06-11 at 12:38 -0400, Philippe LeCavalier via samba wrote:
> > On Fri, Jun 10, 2022, 03:16 Rowland Penny via samba <
> > samba at lists.samba.org>
> > wrote:
> >
> > > On Thu, 2022-06-09 at 17:24 -0400, Philippe LeCavalier via samba
> > > wrote:
> > > > Just bringing this back to the surface.
> > > >
> > >
> > > I have reread this thread and I think this is normal :-)
> > >
> > > Your user gets locked out because their password has expired.
> > > You unlock the user and set their password expiration to three
> > > days.
> > > Your user changes the password but this does not effect the expiry.
> > > After three days they get locked out again.
> > >
> > > Rinse and repeat :-)
> > >
> > > You are going about this the wrong way, you need to remind them
> > > that
> > > their password will expire before it does.
> > >
> > > Rowland
> > > They are aware it will expire in 30 just as they are aware it will
> > > expire
> > > after 3 (when I postpone it).
> >
> > So you're confirming that changing a password does not change the
> > date for
> > which the password is set to expire? In other words the only
> > automatic or
> > systematic change of password is at the 90 day anniversary (it
> > whatever
> > password settings show, which in my case is 90). This means when the
> > user
> > gets locked and I unlock i also need to set the password to expire in
> > 90
> > not 3.
>
> Possibly, I do not know how you are changing the password and setting
> the three days grace. I would change the password and make the user
> change it at next logon.
Either by RSAT or CLI, whichever is handy at the time. But mostly CLI.
# samba-tool user enable techsupport;samba-tool user setexpiry --days=3 User
Enabled user 'User'
Expiry for user 'User' set to 3 days.
If you are changing the password and then
> setting the expiry to three days hence, then that expiry date is very
> likely to be honoured.
Nope. Setting 3 days, unlock (if RSAT) or enable (if CLI) and then telling
the user to 'please change your password within the next 3 days to avoid it
locking you out on 'date of 3rd day'. So the password change inevitably
comes after the 3 days grace. So to me, if the default domain
passwordsettings show max age 90 (min 0) shouldn't the system set the next
anniversary to 90 as soon as the password is changed?
More information about the samba
mailing list