samba - Jun 2005 - Samba Password Expiry Date

Hi,

i have configured a Samba PDC based on idealx.org.
now, whenever i set the sambaMustChangePassword flag to 0, then
from the subsequent logon, there is a popup urge me for changing password.
now, the problem is after i have changed the password, the 
sambaMustChangePassword
is set to 2147483647(unix timestamp), which if i converted it into human 
readable format, it will be  2038 year, bla..bla..and bla second. it is 
really unbelieveable that my password will be lasted until year 2038 
year??? i have looked thoroughly on the internet resources, some 
mentioning about on defaultMaxPasswordAge flag. I think i have set it to 
55 (actually, i dunno whether what is the quantity representing, day?? 
time??). but, i have no point to make it works.

so, i am seeking the solution making the password expiry feature 
avaiable in my pdc. FYI, i am using FC2, samba 3.0.3-5. thanks.

Cheers,
yenonn

Hello,

 > so, i am seeking the solution making the password expiry feature
 > avaiable in my pdc. FYI, i am using FC2, samba 3.0.3-5. thanks.

the password expires in Unix and Samba.

Samba does all changes for itself. You can set password-age to 60 days 
by typing:

#> pdbedit -P "maximum password age" -C 5007600

For Linux you have to change "shadowlastchange" in LDAP. I wrote a 
script for this:

smb.conf:
#---------------------------------------------------------
unix password sync = yes
passwd program = /etc/samba/scripts/ldap_userPassword_change %u
passwd chat = *New*password* %n\n *new*password* %n\n *Success*
#---------------------------------------------------------

/etc/samba/scripts/ldap_userPassword_change:
#---------------------------------------------------------
#!/bin/sh

LDAP_SERVER="ldapserver"
LDAP_USER="uid=userPassChange,o=mydomain,c=com"
LDAP_PASS="secret"
LDAP_PASSWD="/usr/bin/ldappasswd"
LDAP_MODIFY="/usr/bin/ldapmodify"

#DN of User
USER_DN="uid=$1,ou=users,o=mydomain,c=com"

#Get Date
TS=`date +%s`
SLC="$(($TS/24/3600))"

#-> MODIFY userPassword
$LDAP_PASSWD -x -h $LDAP_SERVER -D $LDAP_USER -w $LDAP_PASS -S $USER_DN

#-> MODIFY shadowlastchange
if [ $? -eq 0 ]; then
echo "dn: $USER_DN
changetype: modify
replace: shadowLastChange
shadowLastChange: $SLC" | $LDAP_MODIFY -x -h $LDAP_SERVER -D $LDAP_USER 
-w $LDAP_PASS >/dev/null 2>&1
fi

exit
#---------------------------------------------------------

kind regards
Matthias


Hiu Yen Onn schrieb:
> Hi,
> 
> i have configured a Samba PDC based on idealx.org.
> now, whenever i set the sambaMustChangePassword flag to 0, then
> from the subsequent logon, there is a popup urge me for changing password.
> now, the problem is after i have changed the password, the 
> sambaMustChangePassword
> is set to 2147483647(unix timestamp), which if i converted it into human 
> readable format, it will be  2038 year, bla..bla..and bla second. it is 
> really unbelieveable that my password will be lasted until year 2038 
> year??? i have looked thoroughly on the internet resources, some 
> mentioning about on defaultMaxPasswordAge flag. I think i have set it to 
> 55 (actually, i dunno whether what is the quantity representing, day?? 
> time??). but, i have no point to make it works.
> 
> so, i am seeking the solution making the password expiry feature 
> avaiable in my pdc. FYI, i am using FC2, samba 3.0.3-5. thanks.
> 
> Cheers,
> yenonn

Matthias Spork wrote:
> Hello,
>
> > so, i am seeking the solution making the password expiry feature
> > avaiable in my pdc. FYI, i am using FC2, samba 3.0.3-5. thanks.
>
> the password expires in Unix and Samba.
>
> Samba does all changes for itself. You can set password-age to 60 days 
> by typing:
>
> #> pdbedit -P "maximum password age" -C 5007600
>
> For Linux you have to change "shadowlastchange" in LDAP. I wrote
a
> script for this:
>
> smb.conf:
> #---------------------------------------------------------
> unix password sync = yes
> passwd program = /etc/samba/scripts/ldap_userPassword_change %u
> passwd chat = *New*password* %n\n *new*password* %n\n *Success*
> #---------------------------------------------------------
>
> /etc/samba/scripts/ldap_userPassword_change:
> #---------------------------------------------------------
> #!/bin/sh
>
> LDAP_SERVER="ldapserver"
> LDAP_USER="uid=userPassChange,o=mydomain,c=com"
> LDAP_PASS="secret"
> LDAP_PASSWD="/usr/bin/ldappasswd"
> LDAP_MODIFY="/usr/bin/ldapmodify"
>
> #DN of User
> USER_DN="uid=$1,ou=users,o=mydomain,c=com"
>
> #Get Date
> TS=`date +%s`
> SLC="$(($TS/24/3600))"
>
> #-> MODIFY userPassword
> $LDAP_PASSWD -x -h $LDAP_SERVER -D $LDAP_USER -w $LDAP_PASS -S $USER_DN
>
> #-> MODIFY shadowlastchange
> if [ $? -eq 0 ]; then
> echo "dn: $USER_DN
> changetype: modify
> replace: shadowLastChange
> shadowLastChange: $SLC" | $LDAP_MODIFY -x -h $LDAP_SERVER -D 
> $LDAP_USER -w $LDAP_PASS >/dev/null 2>&1
> fi
>
> exit
> #---------------------------------------------------------
>
> kind regards
> Matthias
>
>
> Hiu Yen Onn schrieb:
>
>> Hi,
>>
>> i have configured a Samba PDC based on idealx.org.
>> now, whenever i set the sambaMustChangePassword flag to 0, then
>> from the subsequent logon, there is a popup urge me for changing 
>> password.
>> now, the problem is after i have changed the password, the 
>> sambaMustChangePassword
>> is set to 2147483647(unix timestamp), which if i converted it into 
>> human readable format, it will be  2038 year, bla..bla..and bla 
>> second. it is really unbelieveable that my password will be lasted 
>> until year 2038 year??? i have looked thoroughly on the internet 
>> resources, some mentioning about on defaultMaxPasswordAge flag. I 
>> think i have set it to 55 (actually, i dunno whether what is the 
>> quantity representing, day?? time??). but, i have no point to make it 
>> works.
>>
>> so, i am seeking the solution making the password expiry feature 
>> avaiable in my pdc. FYI, i am using FC2, samba 3.0.3-5. thanks.
>>
>> Cheers,
>> yenonn
>
>
>
how can u calculate the 5007600. thanks....

Matthias Spork wrote:
> Hello,
>
> > so, i am seeking the solution making the password expiry feature
> > avaiable in my pdc. FYI, i am using FC2, samba 3.0.3-5. thanks.
>
> the password expires in Unix and Samba.
>
> Samba does all changes for itself. You can set password-age to 60 days 
> by typing:
>
> #> pdbedit -P "maximum password age" -C 5007600
>
> For Linux you have to change "shadowlastchange" in LDAP. I wrote
a
> script for this:
>
> smb.conf:
> #---------------------------------------------------------
> unix password sync = yes
> passwd program = /etc/samba/scripts/ldap_userPassword_change %u
> passwd chat = *New*password* %n\n *new*password* %n\n *Success*
> #---------------------------------------------------------
>
> /etc/samba/scripts/ldap_userPassword_change:
> #---------------------------------------------------------
> #!/bin/sh
>
> LDAP_SERVER="ldapserver"
> LDAP_USER="uid=userPassChange,o=mydomain,c=com"
> LDAP_PASS="secret"
> LDAP_PASSWD="/usr/bin/ldappasswd"
> LDAP_MODIFY="/usr/bin/ldapmodify"
>
> #DN of User
> USER_DN="uid=$1,ou=users,o=mydomain,c=com"
>
> #Get Date
> TS=`date +%s`
> SLC="$(($TS/24/3600))"
>
> #-> MODIFY userPassword
> $LDAP_PASSWD -x -h $LDAP_SERVER -D $LDAP_USER -w $LDAP_PASS -S $USER_DN
>
> #-> MODIFY shadowlastchange
> if [ $? -eq 0 ]; then
> echo "dn: $USER_DN
> changetype: modify
> replace: shadowLastChange
> shadowLastChange: $SLC" | $LDAP_MODIFY -x -h $LDAP_SERVER -D 
> $LDAP_USER -w $LDAP_PASS >/dev/null 2>&1
> fi
>
> exit
> #---------------------------------------------------------
>
> kind regards
> Matthias
>
>
> Hiu Yen Onn schrieb:
>
>> Hi,
>>
>> i have configured a Samba PDC based on idealx.org.
>> now, whenever i set the sambaMustChangePassword flag to 0, then
>> from the subsequent logon, there is a popup urge me for changing 
>> password.
>> now, the problem is after i have changed the password, the 
>> sambaMustChangePassword
>> is set to 2147483647(unix timestamp), which if i converted it into 
>> human readable format, it will be  2038 year, bla..bla..and bla 
>> second. it is really unbelieveable that my password will be lasted 
>> until year 2038 year??? i have looked thoroughly on the internet 
>> resources, some mentioning about on defaultMaxPasswordAge flag. I 
>> think i have set it to 55 (actually, i dunno whether what is the 
>> quantity representing, day?? time??). but, i have no point to make it 
>> works.
>>
>> so, i am seeking the solution making the password expiry feature 
>> avaiable in my pdc. FYI, i am using FC2, samba 3.0.3-5. thanks.
>>
>> Cheers,
>> yenonn
>
>
>
i prompt in the pdbedit -P "maximum password age". it yields to me
this
"account policy value for maximum password age is 4294967295"

what is the digits means to me?? how can i make use of it??? thanks

Normally for compute the value must be set :

nb days * 24 * 60 * 60

* 24 for 24 hours
* 60 for minutes
* 60 for secondes

ex : for 60 days : 5184000

-----------------------------------
St?phane PURNELLE                         stephane.purnelle@corman.be
Service Informatique       Corman S.A.           Tel : 00 32 087/342467

samba-bounces+stephane.purnelle=corman.be@lists.samba.org a ?crit sur
02/06/2005 10:15:01 :
> Matthias Spork wrote:
>
> > Hello,
> >
> > > so, i am seeking the solution making the password expiry feature
> > > avaiable in my pdc. FYI, i am using FC2, samba 3.0.3-5. thanks.
> >
> > the password expires in Unix and Samba.
> >
> > Samba does all changes for itself. You can set password-age to 60 days
> > by typing:
> >
> > #> pdbedit -P "maximum password age" -C 5007600
> >
> > For Linux you have to change "shadowlastchange" in LDAP. I
wrote a
> > script for this:
> >
> > smb.conf:
> > #---------------------------------------------------------
> > unix password sync = yes
> > passwd program = /etc/samba/scripts/ldap_userPassword_change %u
> > passwd chat = *New*password* %n\n *new*password* %n\n *Success*
> > #---------------------------------------------------------
> >
> > /etc/samba/scripts/ldap_userPassword_change:
> > #---------------------------------------------------------
> > #!/bin/sh
> >
> > LDAP_SERVER="ldapserver"
> > LDAP_USER="uid=userPassChange,o=mydomain,c=com"
> > LDAP_PASS="secret"
> > LDAP_PASSWD="/usr/bin/ldappasswd"
> > LDAP_MODIFY="/usr/bin/ldapmodify"
> >
> > #DN of User
> > USER_DN="uid=$1,ou=users,o=mydomain,c=com"
> >
> > #Get Date
> > TS=`date +%s`
> > SLC="$(($TS/24/3600))"
> >
> > #-> MODIFY userPassword
> > $LDAP_PASSWD -x -h $LDAP_SERVER -D $LDAP_USER -w $LDAP_PASS -S
$USER_DN
> >
> > #-> MODIFY shadowlastchange
> > if [ $? -eq 0 ]; then
> > echo "dn: $USER_DN
> > changetype: modify
> > replace: shadowLastChange
> > shadowLastChange: $SLC" | $LDAP_MODIFY -x -h $LDAP_SERVER -D
> > $LDAP_USER -w $LDAP_PASS >/dev/null 2>&1
> > fi
> >
> > exit
> > #---------------------------------------------------------
> >
> > kind regards
> > Matthias
> >
> >
> > Hiu Yen Onn schrieb:
> >
> >> Hi,
> >>
> >> i have configured a Samba PDC based on idealx.org.
> >> now, whenever i set the sambaMustChangePassword flag to 0, then
> >> from the subsequent logon, there is a popup urge me for changing
> >> password.
> >> now, the problem is after i have changed the password, the
> >> sambaMustChangePassword
> >> is set to 2147483647(unix timestamp), which if i converted it into
> >> human readable format, it will be  2038 year, bla..bla..and bla
> >> second. it is really unbelieveable that my password will be lasted
> >> until year 2038 year??? i have looked thoroughly on the internet
> >> resources, some mentioning about on defaultMaxPasswordAge flag. I
> >> think i have set it to 55 (actually, i dunno whether what is the
> >> quantity representing, day?? time??). but, i have no point to make
it
> >> works.
> >>
> >> so, i am seeking the solution making the password expiry feature
> >> avaiable in my pdc. FYI, i am using FC2, samba 3.0.3-5. thanks.
> >>
> >> Cheers,
> >> yenonn
> >
> >
> >
> how can u calculate the 5007600. thanks....
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba

Hello,
>> #> pdbedit -P "maximum password age" -C 5007600
>>
> Does it apply for all users in my domain???
This feature must be activated on yout domain-master. I've set this 
option also at all other samba domain-controllers (PDC's an BDC's). I 
don't know, if this is required.

There is the ldap-attribute "shadowMax: 60" for each user, but I
don't
know if this works yet with samba 3.0.14.

matze