samba - Jul 2005 - Samba3, ldap and password expiry

Hi all!

We are using 1 Samba PDC and 2 bdc (Version
3.0.15pre3-SVN-build-UNKNOWN-PS-SuSE) with openldap2-2.2.6-37.38 on
SLES 9.

New users setup ok and first logon password change works.  Because of
HIPAA we need the passwords to change every 30 days however this isn't
happening. 

I thought that I had this working once upon a time while I was testing
and getting ready for production but somewhere along the line I must've
changed something.  At any rate we're moving into production (3
departments so far!) and this has come to my attention.

Other relevant data:
ldapsearch -x -b "dc=hrh,dc=org"
"(ObjectClass=*)"
>current_ldapsearch.txt   and looking up my account shows:
# jslittl, People, hrh.org
dn: uid=jslittl,ou=People,dc=hrh,dc=org
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
cn: jslittl
sn: jslittl
uid: jslittl
uidNumber: 1004
homeDirectory: /home/jslittl
loginShell: /bin/bash
gecos: System User
sambaSID: S-1-5-21-1418864132-1159184377-506600700-3008
description: domain admin
sambaKickoffTime: 0
sambaPasswordHistory:
00000000000000000000000000000000000000000000000000000000
 00000000
sambaLogonHours: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
sambaAcctFlags: [U          ]
gidNumber: 512
sambaPrimaryGroupSID: S-1-5-21-1418864132-1159184377-506600700-512
sambaPwdMustChange: 2147483647
sambaPwdCanChange: 1116358396
sambaPwdLastSet: 1116358396
displayName: little, john
sambaProfilePath: \\hrhdc01\profiles\jslittl

from smbldap-tools.conf:
defaultMaxPasswordAge="30" under the Unix Accounts Configuration
We are using smbldap-tools-0.9.1-1 for this.

Please let me know what else to check/change for this to work.

Regards,
John Little
Hendricks Regional Health
jslittl@hendricks.org


		
____________________________________________________
Sell on Yahoo! Auctions ? no fees. Bid on great items.  
http://auctions.yahoo.com/

> New users setup ok and first logon password change works.  Because of
> HIPAA we need the passwords to change every 30 days however this isn't
> happening. 
> I thought that I had this working once upon a time while I was testing
> and getting ready for production but somewhere along the line I must've
> changed something.  At any rate we're moving into production (3
> departments so far!) and this has come to my attention.
Have you tried setting a password change policy via pdbedit?
> Other relevant data:
> ldapsearch -x -b "dc=hrh,dc=org" "(ObjectClass=*)"
> >current_ldapsearch.txt   and looking up my account shows:
> # jslittl, People, hrh.org
> dn: uid=jslittl,ou=People,dc=hrh,dc=org
> objectClass: top
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: shadowAccount
> objectClass: sambaSamAccount
> cn: jslittl
> sn: jslittl
> uid: jslittl
> uidNumber: 1004
> homeDirectory: /home/jslittl
> loginShell: /bin/bash
> gecos: System User
> sambaSID: S-1-5-21-1418864132-1159184377-506600700-3008
> description: domain admin
> sambaKickoffTime: 0
> sambaPasswordHistory:
> 00000000000000000000000000000000000000000000000000000000
>  00000000
> sambaLogonHours: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
> sambaAcctFlags: [U          ]
> gidNumber: 512
> sambaPrimaryGroupSID: S-1-5-21-1418864132-1159184377-506600700-512
> sambaPwdMustChange: 2147483647
This is way more than 30 days into the future.
> sambaPwdCanChange: 1116358396
> sambaPwdLastSet: 1116358396
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.samba.org/archive/samba/attachments/20050712/97672edc/attachment.bin