- the account is enabled until password expiry and I have no kind of
notification about the expiration of password....
- then a nice day the password really expires and, instead of been forced to
change it, the user is simply LOCKED OUT (account disabled)
Note that in UNIX the user is still active as I've set a long Interval
beetwen pwd expiry and account locking !
The only functionality needed is a correct expiration / change-forcing behaviour
from Win2K, so I don't want to use LDAP as i think Samba + PAM might be
sufficient for this.
It seems there's something wrong (or simply limited) with PAM <->
Samba interaction when managing account restrictions.
So the final questions are :=20
1) Is it possible to make Samba force a password change request at client side
during logon due to PAM account restrictions ?
2) If YES : where I've gone wrong ?
3) If NO : Is there a stable/production alternative for password expiry in
Samba?
Many thanks in advance.
Sorry for my english.
Sauro Saltini
------=_NextPart_000_0011_01C2897F.3C166DF0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html;
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2600.0" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>Hi,
everybody.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>I've read many posts about
forcing users to change=20
their passwords at logon time from windows clients, but still I can't make
it=20
work.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>I've set up a Samba PDC with
the latest stable=20
version (2.2.6) of samba and configured it to do Unix password syncing
through=20
PAM.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Then I've set up Unix passwords
with the right=20
aging parameters and all works fine in Unix (I've got logon messages
about=20
password expiration and I'm forced to change password after expiration=20
time)</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>From a Win2K client I can't get
it work
:</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>- the account is enabled until
password expiry and=20
I have no kind of notification about the expiration of
password....</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>- then a nice day the password
really expires and,=20
instead of been forced to change it, the user is simply LOCKED
OUT (account=20
disabled)</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Note that in UNIX the user is still
active as I've=20
set a long Interval beetwen pwd expiry and account locking
!</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>The only functionality needed is a
correct=20
expiration / change-forcing behaviour from Win2K, so I don't want to use
LDAP as=20
i think Samba + PAM might be sufficient for this.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>It seems there's
something wrong (or simply=20
limited) with PAM <-> Samba interaction when managing account=20
restrictions.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>So the final questions are
: </FONT></DIV>
<DIV><FONT face=3DArial size=3D2>1) Is it possible to make
Samba force a=20
password change request at client side during logon due to PAM account=20
restrictions ?</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>2) If YES : where I've gone
wrong ?</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>3) If NO : Is there
a stable/production=20
alternative for password expiry in Samba?</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Many thanks in
advance.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Sorry for my
english.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Sauro
Saltini</FONT></DIV></BODY></HTML>
------=_NextPart_000_0011_01C2897F.3C166DF0--
