Philippe LeCavalier
2021-Jul-15 08:28 UTC
[Samba] Password policy for user-managed passwords
On Wed, Jul 14, 2021 at 10:09 PM Jonathon Reinhart < jonathon.reinhart at gmail.com> wrote:> On Wed, Jul 14, 2021 at 12:09 PM Philippe LeCavalier via samba > <samba at lists.samba.org> wrote: > > > > Hi, > > > > I'm moving away from managing passwords for my clients. > > Better late than never. A sysadmin should never be responsible for > setting passwords for users. >That's an opinion.> > If your clients are logging into domain-joined Windows workstations, > then you have nothing to worry about. Windows will force the user to > change their password before/when it expires. The same goes for most > configurations of Linux workstations joined to the domain, also. > > If your client workstations are not domain-joined, you should really > consider doing that. > > If you have an Active Directory domain, but your users aren't using > interactive login, then what are you using the domain for? Just Samba > share auth? >They are domain-joined and interactive login is there but the expiration isn't set or is set to 0, that's all. So as my initial question: do I simply set the expiration to the desired cycle, say 60 days? And if I don't want to wait 60 days for the first reset, what's the best approach? Thanks, Phil
Philippe LeCavalier
2021-Jul-17 15:16 UTC
[Samba] Password policy for user-managed passwords
Anyone else? On Thu, Jul 15, 2021, 04:28 Philippe LeCavalier <support at plecavalier.com> wrote:> On Wed, Jul 14, 2021 at 10:09 PM Jonathon Reinhart < > jonathon.reinhart at gmail.com> wrote: > >> On Wed, Jul 14, 2021 at 12:09 PM Philippe LeCavalier via samba >> <samba at lists.samba.org> wrote: >> > >> > Hi, >> > >> > I'm moving away from managing passwords for my clients. >> >> Better late than never. A sysadmin should never be responsible for >> setting passwords for users. >> > That's an opinion. > >> >> If your clients are logging into domain-joined Windows workstations, >> then you have nothing to worry about. Windows will force the user to >> change their password before/when it expires. The same goes for most >> configurations of Linux workstations joined to the domain, also. >> >> If your client workstations are not domain-joined, you should really >> consider doing that. >> >> If you have an Active Directory domain, but your users aren't using >> interactive login, then what are you using the domain for? Just Samba >> share auth? >> > They are domain-joined and interactive login is there but the expiration > isn't set or is set to 0, that's all. So as my initial question: do I > simply set the expiration to the desired cycle, say 60 days? And if I don't > want to wait 60 days for the first reset, what's the best approach? Thanks, > Phil >