samba - Mar 2005 - Unchangeable "Password must change: Fri, 13 Dec 1901 21:45:51 MET "

Hello Group,

I've been reading many posts but i still don't have the answer to how to
force a password change or set a password lifetime.

I'm using w2k clients which connect to a samba PDC version 3.0.10 on a basic
SunOS 5.8 system, no ldap or so.
syncing the ux-passwords and the smb-passwords works perfect, 
but i can't get it working to force users to change passwords.

The command that should do this is ;
pdbedit -P "maximum password age" -C 5
I know this are seconds, but just for testing

Running this command as root gives;
root> pdbedit -P "maximum password age" -C 5
account policy value for maximum password age was 100
account policy value for maximum password age is now 5
root>

It does change the policy;
account policy value for maximum password age is 5

but nothing is changed when i give the pdbedit -v command.
When i run a pdbedit after i logged in/out as a user on the w2k system,
nothing has happened
the output is exactly the same as it was before.

root> pdbedit -v -u useraa
Unix username:        useraa
NT username:
Account Flags:        [U          ]
User SID:             S-1-5-21-4240529304-4054190640-1643903753-27306
Primary Group SID:    S-1-5-21-4240529304-4054190640-1643903753-1021
Full Name:
Home Directory:       \\server\useraa
HomeDir Drive:
Logon Script:
Profile Path:         \\server\useraa\profile
Domain:               NETDOM
Account desc:
Workstations:
Munged dial:
Logon time:           0
Logoff time:          Fri, 13 Dec 1901 21:45:51 MET
Kickoff time:         Fri, 13 Dec 1901 21:45:51 MET
Password last set:    Thu, 03 Mar 2005 17:21:36 MET
Password can change:  Thu, 03 Mar 2005 17:21:36 MET
Password must change: Fri, 13 Dec 1901 21:45:51 MET
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
root>

Selecting the option "change password at next logon" is usrmgr on the
w2k machine doesn't do the trick either.

Does anybody have a suggestion to get this running? Or is there another
way to force users once in a while to change password?
(maybe some command(s) i can put in cron)

All help is welcome

Thanks in advance

Harold

Harold,

Are you using tdbsam as your password backend? If not, then you can not do 
what you  are attempting to do. There is no place in the smbpasswd file to  
store account aging information. Please confirm that you have in the globals 
section of your smb.conf file:

	passdb backend = tdbsam

If you need to migrate from smbpasswd to tdbsam, after the above has been 
added to the smb.conf file you can migrate the data by executing:

	pdbedit -i smbpasswd -e tdbsam


Cheers,
John T.

On Friday 04 March 2005 09:37, harold.celie@bt.com
wrote:
> Hello Group,
>
> I've been reading many posts but i still don't have the answer to
how to
> force a password change or set a password lifetime.
>
> I'm using w2k clients which connect to a samba PDC version 3.0.10 on a
> basic SunOS 5.8 system, no ldap or so. syncing the ux-passwords and the
> smb-passwords works perfect,
> but i can't get it working to force users to change passwords.
>
> The command that should do this is ;
> pdbedit -P "maximum password age" -C 5
> I know this are seconds, but just for testing
>
> Running this command as root gives;
> root> pdbedit -P "maximum password age" -C 5
> account policy value for maximum password age was 100
> account policy value for maximum password age is now 5
> root>
>
> It does change the policy;
> account policy value for maximum password age is 5
>
> but nothing is changed when i give the pdbedit -v command.
> When i run a pdbedit after i logged in/out as a user on the w2k system,
> nothing has happened
> the output is exactly the same as it was before.
>
> root> pdbedit -v -u useraa
> Unix username:        useraa
> NT username:
> Account Flags:        [U          ]
> User SID:             S-1-5-21-4240529304-4054190640-1643903753-27306
> Primary Group SID:    S-1-5-21-4240529304-4054190640-1643903753-1021
> Full Name:
> Home Directory:       \\server\useraa
> HomeDir Drive:
> Logon Script:
> Profile Path:         \\server\useraa\profile
> Domain:               NETDOM
> Account desc:
> Workstations:
> Munged dial:
> Logon time:           0
> Logoff time:          Fri, 13 Dec 1901 21:45:51 MET
> Kickoff time:         Fri, 13 Dec 1901 21:45:51 MET
> Password last set:    Thu, 03 Mar 2005 17:21:36 MET
> Password can change:  Thu, 03 Mar 2005 17:21:36 MET
> Password must change: Fri, 13 Dec 1901 21:45:51 MET
> Last bad password   : 0
> Bad password count  : 0
> Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
> root>
>
> Selecting the option "change password at next logon" is usrmgr on
the
> w2k machine doesn't do the trick either.
>
> Does anybody have a suggestion to get this running? Or is there another
> way to force users once in a while to change password?
> (maybe some command(s) i can put in cron)
>
> All help is welcome
>
> Thanks in advance
>
> Harold
-- 
John H Terpstra
Samba-Team Member
Phone: +1 (650) 580-8668

Author:
The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
Samba-3 by Example, ISBN: 0131472216
Hardening Linux, ISBN: 0072254971
Other books in production.