Hi guys/girls, How are you ? I've been struggling to get my users' passwords to expire. My configuration is samba-3.0 running with the standard smbpasswd back-end. Everything that I can find on the web says I should set the following to expire my users passwords after 28 days.: pdbedit -v -P 'minimum password age' -C 300 pdbedit -v -P 'maximum password age' -C 2419200 Unfortunately my users never get prompted for a new password. When I do a "pdbedit -v -u <username>" all the details come up, however what I find interesting is the following: Password can change: Wed, 04 Feb 2004 16:59:54 GMT Password must change: Fri, 13 Dec 1901 22:45:51 GMT What ever I try I cannot change the "Password must change:" line. Perhaps I've missed something really simple here ? Does this feature perhaps require an LDAP back-end ? Any assistance would be greatly appreciated, thank you in advance. -- Many thanks and kind regards, David Wilson D c D a t a +27 33 3427003 +27 82 4147413 http://www.dcdata.co.za support@dcdata.co.za ____________________________________________________ LinuxBox S.A.: Africa's shell provider. Powered by Linux and DcData - driven by passion ! http://www.linuxbox.co.za
On Tue, 2004-02-10 at 03:32, David Wilson wrote:> Hi guys/girls, > > How are you ? > I've been struggling to get my users' passwords to expire. > My configuration is samba-3.0 running with the standard smbpasswd > back-end. > > Everything that I can find on the web says I should set the following to > expire my users passwords after 28 days.: > pdbedit -v -P 'minimum password age' -C 300 > pdbedit -v -P 'maximum password age' -C 2419200 > > Unfortunately my users never get prompted for a new password. > > When I do a "pdbedit -v -u <username>" all the details come up, however > what I find interesting is the following: > Password can change: Wed, 04 Feb 2004 16:59:54 GMT > Password must change: Fri, 13 Dec 1901 22:45:51 GMT > > What ever I try I cannot change the "Password must change:" line. > Perhaps I've missed something really simple here ? > Does this feature perhaps require an LDAP back-end ?Yes, it requires the LDAP backend, and only applies after the password has been changed (that is, the 'must change time' will not be reset for current passwords). We store the 'last change time' for smbpasswd, and could therefore implement a patch to handle this, but I would prefer to keep smbpasswd dumb and simple and to push people to the wonderful (horrible) world of LDAP ;-) Andrew Bartlett -- Andrew Bartlett abartlet@pcug.org.au Manager, Authentication Subsystems, Samba Team abartlet@samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net http://samba.org http://build.samba.org http://hawkerc.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba/attachments/20040210/376fe704/attachment.bin
Hi Collen, Thanks for your reply. The MySQL backend sounds good, though I think LDAP may be a bit easier for us. I suppose SQL may be a better option when a VERY large user base is used ? Nevertheless I will keep your email in mind.>From what Andrew has said, I think the password expiry option can onlybe applied to all users, exactly the same as Windows NT ? -- Many thanks and kind regards, David Wilson D c D a t a +27 33 3427003 +27 82 4147413 http://www.dcdata.co.za support@dcdata.co.za ____________________________________________________ LinuxBox S.A.: Africa's shell provider. Powered by Linux and DcData - driven by passion ! http://www.linuxbox.co.za
On Tue, 2004-02-10 at 01:59, David Wilson wrote:> Hi Collen, > > Thanks for your reply. > The MySQL backend sounds good, though I think LDAP may be a bit easier > for us. I suppose SQL may be a better option when a VERY large user base > is used ? Nevertheless I will keep your email in mind. > > >From what Andrew has said, I think the password expiry option can only > be applied to all users, exactly the same as Windows NT ?---- Actually, I think that you have this somewhat backwards. LDAP is totally scalable and would be best in large scale installations. MySQL backend is probably more suitable for a smaller, single DC installation where the maintainer has more familiarity with coding MySQL than LDAP. Craig