Marco De Vitis
2006-Jan-08 22:36 UTC
[Samba] Password expiration and documentation problems
Hello, I'm using Samba 3.0.21a on Debian Sarge, tdbsam account backend. I was playing around with pdbedit and the account control flags, and noticed a different behaviour from what I expected: if the password for a user has expired, and I set the "X" account flag for him (pdbedit -c "[X]" username), I'd expect the system to never tell him about his expired password. Instead, the only difference is this: without the X flag, the user is forced to change his password, while when the X flag is active he is warned that the password has expired, but he has the choice to ignore the warning and continue using the old password; this happens at each logon, so eventually changing the password is unavoidable anyway to get rid of the warning. Is this the correct behaviour? In other words: is setting the expiration date far away in the future the only way to make a "never-expiring" password? I hoped to be able to do it by using the X flag... BTW, my user accounts initially had a password expiration date set to sometime in 1901 (this was automatically set, I don't know why), and this worked like a "far away date", because their passwords never expired. Looks like what I'm after, but how can I recreate it? pdbedit does not seem to accept dates outside the 1970-2038 range. While playing with this, I encountered some problems in the documentation. The most important is an error (I believe) in the HOWTO: at the end of the section about pdbedit (<http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/passdb.html#pdbeditthing>) an example is made where "maximum password age" should be set to 90 days and "minimum password age" to 7 days... but the commands shown set the time to 90 and 7 seconds, respectively! Then, I think the pdbedit man page should mention that, instead of using: > pdbedit -u username <some options> ...you can use: > pdbedit <some options> username ...which is IMHO more friendly. I only discovered it by looking at the samples in the HOWTO. Finally, when reading in the pdbedit manpage that this is a tool to "manage user accounts", you would expect it to also be able to change user passwords... but AFAIK is not, and you must use smbpasswd even when you're not using the smbpasswd password backend. IMHO this should be made explicit in the docs, both in the pdbedit and smbpasswd man pages. Thanks. -- Ciao, Marco.