Jonathon Reinhart
2021-Jul-15 02:08 UTC
[Samba] Password policy for user-managed passwords
On Wed, Jul 14, 2021 at 12:09 PM Philippe LeCavalier via samba <samba at lists.samba.org> wrote:> > Hi, > > I'm moving away from managing passwords for my clients.Better late than never. A sysadmin should never be responsible for setting passwords for users.> I'm just trying to > understand the specifics around expiration and how the user get prompted > with an ADDC and how the simplest approach would look like.If your clients are logging into domain-joined Windows workstations, then you have nothing to worry about. Windows will force the user to change their password before/when it expires. The same goes for most configurations of Linux workstations joined to the domain, also. If your client workstations are not domain-joined, you should really consider doing that. If you have an Active Directory domain, but your users aren't using interactive login, then what are you using the domain for? Just Samba share auth? If you really don't want to use interactive login, but still want to expire user passwords, I can offer a couple of tools that I wrote: 1) Diress (Directory Self-Service, pronounced "duress") -- A very simple web app allowing users to to change their password from a web browser. https://gitlab.com/JonathonReinhart/diress/ 2) ADMan (Active Directory Management) -- Automated AD administrative tasks. One of the things it can do is email users when their passwords are about to expire. https://gitlab.com/JonathonReinhart/adman Good luck, Jonathon
Philippe LeCavalier
2021-Jul-15 08:28 UTC
[Samba] Password policy for user-managed passwords
On Wed, Jul 14, 2021 at 10:09 PM Jonathon Reinhart < jonathon.reinhart at gmail.com> wrote:> On Wed, Jul 14, 2021 at 12:09 PM Philippe LeCavalier via samba > <samba at lists.samba.org> wrote: > > > > Hi, > > > > I'm moving away from managing passwords for my clients. > > Better late than never. A sysadmin should never be responsible for > setting passwords for users. >That's an opinion.> > If your clients are logging into domain-joined Windows workstations, > then you have nothing to worry about. Windows will force the user to > change their password before/when it expires. The same goes for most > configurations of Linux workstations joined to the domain, also. > > If your client workstations are not domain-joined, you should really > consider doing that. > > If you have an Active Directory domain, but your users aren't using > interactive login, then what are you using the domain for? Just Samba > share auth? >They are domain-joined and interactive login is there but the expiration isn't set or is set to 0, that's all. So as my initial question: do I simply set the expiration to the desired cycle, say 60 days? And if I don't want to wait 60 days for the first reset, what's the best approach? Thanks, Phil