samba - Mar 2007 - Can't change password change dates with PDBEDIT

I'm setting up a Samba server using CentOS 4's (RedHat Enterprise Linux)
standard version (v.3.0101411).  I want to be able to force users to
change their password upon first logging in and to have to change them
after a certain period of time (per user, not system-wide).

The problem is that the pdbedit commands don't seem to be registering at
all in the database.  If I enter the following command:
pdbedit --pwd-must-change-time="2010-01-01"
--time-format="%Y-%m-%d"

I still get:
Password last set:    Fri, 16 Mar 2007 10:02:06 GMT
Password can change:  Fri, 16 Mar 2007 10:02:06 GMT
Password must change: Mon, 18 Jan 2038 22:14:07 GMT

How do I control login times?

(I'm moving from a Novel Netware server where these kind of
administration tasks were very easy.  I'm disappointed that it is taking
me so long to get this done.)

Boaz

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Boaz,

	I'm using LDAP as a backend so YMMV.


On 03/16/2007 12:10 PM, Boaz Bezborodko wrote:
> I'm setting up a Samba server using CentOS 4's (RedHat 
> Enterprise Linux) standard version (v.3.0101411).  I
	Hmmm, you should upgrade your samba version. Not sure
if it will solve your problem, but I'm using 3.0.24 and the
information of this message is based on this version. Anyway,
3.0.14 and 3.0.2x has lots of improvements and fixes that are
worthwhile.

> want to be able to force users to change their password
> upon first logging in and to have to change them after
> a certain period of time (per user, not system-wide).
> 
> The problem is that the pdbedit commands don't seem to 
> be registering at all in the database.  If I enter the
> following command:
> pdbedit --pwd-must-change-time="2010-01-01"
--time-format="%Y-%m-%d"
	Not sure if it is a bug in pdbedit, but there is an
unusual behaviour of samba with regards to passwd fields,
here is a message where I explain the behaviour:

http://lists.samba.org/archive/samba/2007-February/129890.html

> I still get:
> Password last set:    Fri, 16 Mar 2007 10:02:06 GMT
> Password can change:  Fri, 16 Mar 2007 10:02:06 GMT
> Password must change: Mon, 18 Jan 2038 22:14:07 GMT
> 
> How do I control login times?
	Basically, even when changing it per-user, you need
to respect that global policy to get things working as
expected. I've been adding users and doind the pwd dance
for a few months now, and everything is working fine.


	Kind regards,
- --
Felipe Augusto van de Wiel <felipe@paranacidade.org.br>
Coordenadoria de Tecnologia da Informa??o (CTI) - SEDU/PARANACIDADE
http://www.paranacidade.org.br/           Phone: (+55 41 3350 3300)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFF/pDICj65ZxU4gPQRArnbAJ4ogQBBs6p5aRVpE/L4nzt7860pkgCgnMJJ
0+mBiGOwm/3B0O69iFhGwsM=86gH
-----END PGP SIGNATURE-----

Felipe Augusto van de Wiel wrote:
> Hi Boaz,
> 
Thanks for the reply, Felipe.
> 	I'm using LDAP as a backend so YMMV.
> 
I've been thinking about using LDAP, but I don't have a very large
installation (maybe 15 computers) so I wanted to avoid getting overly
complicated.  But it seems that tdbSAM is not much better as it is very
difficult to get good information on how to get things done.
> 
> On 03/16/2007 12:10 PM, Boaz Bezborodko wrote:
>> I'm setting up a Samba server using CentOS 4's (RedHat 
>> Enterprise Linux) standard version (v.3.0101411).  I
> 
> 	Hmmm, you should upgrade your samba version. Not sure
> if it will solve your problem, but I'm using 3.0.24 and the
> information of this message is based on this version. Anyway,
> 3.0.14 and 3.0.2x has lots of improvements and fixes that are
> worthwhile.
> 
I was sticking with the official RedHat release if only because previous
advice was that I should probably stick with it unless I specifically
needed new features as it was likely the most stable version with this OS.

I did not anticipate that what seem like basic operations would be so
difficult to apply.  Is this a version thing?  I would think that
adjusting dates in a database would be an easy thing to do.
> 
>> want to be able to force users to change their password
>> upon first logging in and to have to change them after
>> a certain period of time (per user, not system-wide).
> 
>> The problem is that the pdbedit commands don't seem to 
>> be registering at all in the database.  If I enter the
>> following command:
>> pdbedit --pwd-must-change-time="2010-01-01"
--time-format="%Y-%m-%d"
> 
> 	Not sure if it is a bug in pdbedit, but there is an
> unusual behaviour of samba with regards to passwd fields,
> here is a message where I explain the behaviour:
> 
> http://lists.samba.org/archive/samba/2007-February/129890.html
> 
I'll try this out.

Thanks for the assistance.

Boaz

Felipe Augusto van de Wiel wrote:
> Hi Boaz,
> 
> 	I'm using LDAP as a backend so YMMV.
> 
> 
> On 03/16/2007 12:10 PM, Boaz Bezborodko wrote:
>> I'm setting up a Samba server using CentOS 4's (RedHat 
>> Enterprise Linux) standard version (v.3.0101411).  I
> 
> 	Hmmm, you should upgrade your samba version. Not sure
> if it will solve your problem, but I'm using 3.0.24 and the
> information of this message is based on this version. Anyway,
> 3.0.14 and 3.0.2x has lots of improvements and fixes that are
> worthwhile.
> 
> 
>> want to be able to force users to change their password
>> upon first logging in and to have to change them after
>> a certain period of time (per user, not system-wide).
> 
OK, for those who may have found this on a search I found that the
easiest way to do this was to use the NT4 User Manager tool to set the
flag that forces the user to change password at the next login.

Just search for SRVTOOLS.EXE, download them and execute the file in the
directory in which you want them to be installed.

Boaz