I have been working to get pdbedit to expire passwords. I have seen several bugs related to pdbedit (bugzilla bug 4630 for example) on 3.0.25 so I upgraded to 3.0.25a, the latest Samba version as of this writing. What I am trying to do is set a particular user's password to expire on a certain date. If that can't be done, the ability to set it to expire "now" would be my next choice. I have been attempting to use the --pwd-must-change-time switch of pdbedit as listed in the Samba docs at http://cr.samba.org/samba/docs/man/Samba-HOWTO-Collection/passdb.html#pdbeditthing but it doesn't seem to work no matter how I attempt to use it. Furthermore, the man page and help options for pdbedit don't even mention this option. I am using tdbsam as the backend database and would prefer to stay with that as it seems like it should have the ability to do this. I would also rather solve this using tdbsam because if I have to change the backend database, I would have to do it on several separate stand-alone system to keep the setup consistent throughout the company. By the way, I do have a policy set for all users, but that is not the issue here. 1.) Does the --pwd-must-change-time switch of pdbedit work in 3.0.25a or is that left over from a previous version? 2.) If it is supposed to work, can someone provide an example of how they have used it that has worked for them? 3.) If it doesn't work, how can I expire a password for a particular user at a given date, or even expire it "now"? Any help would be greatly appreciated.
On 5/30/07, lists@trcintl.com <lists@trcintl.com> wrote:> > 1.) Does the --pwd-must-change-time switch of pdbedit work in 3.0.25a or > is that left over from a previous version?The change is that it was not the "correct" way of setting password expiration. It is supposed to be dynamically calculated from the policy. This way, when the policy changes, users with longer password expiration aren't getting grandfathered in. We no longer support setting this directly. 2.) If it is supposed to work, can someone provide an example of how they> have used it that has worked for them?Instead, use the "net sam policy" command (it contains help text), and the policy name is "maximum password age". You can alternatively use pdbedit -P "maximum password age" to view and additionally -C <seconds> to set the policy. You should immediately see that it has changed. You cannot choose "now" as a policy, or everyone's password would always been expired, even immediately after set. You should probably use the "net sam policy" command, as we're trying to move away from the pdbedit command. 3.) If it doesn't work, how can I expire a password for a particular user> at a given date, or even expire it "now"?To expire it "now" for a given user, you can issue "net sam set pwdmustchangenow". -- ------------------- Jim McDonough Samba Team jmcd at samba dot org