Not much help here, but it does work perfectly with LDAP backend (via
pwdMustChange attribute).
> Sauro Saltini wrote:
>
> Hi, everybody.
> I've read many posts about forcing users to change their passwords at
> logon time from windows clients, but still I can't make it work.
>
> I've set up a Samba PDC with the latest stable version (2.2.6) of
> samba and configured it to do Unix password syncing through PAM.
> Then I've set up Unix passwords with the right aging parameters and
> all works fine in Unix (I've got logon messages about password
> expiration and I'm forced to change password after expiration time)
>
> From a Win2K client I can't get it work :
> - the account is enabled until password expiry and I have no kind of
> notification about the expiration of password....
> - then a nice day the password really expires and, instead of been
> forced to change it, the user is simply LOCKED OUT (account disabled)
>
> Note that in UNIX the user is still active as I've set a long Interval
> beetwen pwd expiry and account locking !
>
> The only functionality needed is a correct expiration / change-forcing
> behaviour from Win2K, so I don't want to use LDAP as i think Samba +
> PAM might be sufficient for this.
>
> It seems there's something wrong (or simply limited) with PAM <->
> Samba interaction when managing account restrictions.
>
> So the final questions are :
> 1) Is it possible to make Samba force a password change request at
> client side during logon due to PAM account restrictions ?
> 2) If YES : where I've gone wrong ?
> 3) If NO : Is there a stable/production alternative for password
> expiry in Samba?
>
> Many thanks in advance.
>
> Sorry for my english.
>
> Sauro Saltini