I have been having some problems since I updated from Samba 3.0.23 to 3.0.25b. I have installed the latest version of smbldap-tools but I am still not able to make certain changes to a user's account. I have created a new user named JROLFE. After I set up a new user, I will set it so they are required to change their password when they first login. I usually do this through LDAP Account Manager. I set User can change password to a date in the past and User must change password to a date in the past. But for some reason it didn't work. If I run pdbedit -Lv -u jrolfe, I get: Password last set: Mon, 01 Jan 2007 03:00:00 EST Password can change: Mon, 08 Jan 2007 03:00:00 EST Password must change: never If I run ../smbldap-usershow jrolfe, I get: sambaPwdCanChange: 1183795200 sambaPwdLastSet: 1167638400 sambaPwdMustChange: 1167638400 The unix times converted to english are: Sat, 07 Jul 2007 08:00:00 GMT and Mon, 01 Jan 2007 08:00:00 GMT. So you can see that the dates do not match between pdbedit and smbldap-tools. This is really causing a problem because I am trying to set up a new user and cannot get his password to expire. -- *Jason Baker */IT Coordinator/ *Glastender Inc.* 5400 North Michigan Road Saginaw, Michigan 48604 USA 800.748.0423 Phone: 989.752.4275 ext. 228 Fax: 989.752.4444 www.glastender.com <http://www.glastender.com> -----BEGIN GEEK CODE BLOCK----- Version: 3.1 GIT$ d- s: a C++$ LU+++$ P+ L++>L++++ !E--- W+++ N o? K? w !O M !V PS PE++ Y? PGP- t 5? X+ R+ tv+ b- DI-- D++ G e+ h--- r+++ y+++ ------END GEEK CODE BLOCK------
Jason Baker escreveu:> I have been having some problems since I updated from Samba 3.0.23 to > 3.0.25b. I have installed the latest version of smbldap-tools but I am > still not able to make certain changes to a user's account. I have > created a new user named JROLFE. > After I set up a new user, I will set it so they are required to > change their password when they first login. I usually do this through > LDAP Account Manager. > I set User can change password to a date in the past and User must > change password to a date in the past. But for some reason it didn't > work. If I run pdbedit -Lv -u jrolfe, I get: > > Password last set: Mon, 01 Jan 2007 03:00:00 EST > Password can change: Mon, 08 Jan 2007 03:00:00 EST > Password must change: never > > If I run ../smbldap-usershow jrolfe, I get: > > sambaPwdCanChange: 1183795200 > sambaPwdLastSet: 1167638400 > sambaPwdMustChange: 1167638400 > > The unix times converted to english are: Sat, 07 Jul 2007 08:00:00 GMT > and Mon, 01 Jan 2007 08:00:00 GMT. So you can see that the dates do > not match between pdbedit and smbldap-tools. > This is really causing a problem because I am trying to set up a new > user and cannot get his password to expire.According the samba documentation: sambaPwdLastSet: The integer time in seconds since 1970 when the sambaLMPassword and sambaNTPassword attributes were last set. sambaPwdCanChange: Specifies the time (UNIX time format) after which the user is allowed to change his password. If this attribute is not set, the user will be free to change his password whenever he wants. sambaPwdMustChange: Specifies the time (UNIX time format) when the user is forced to change his password. If this value is set to 0, the user will have to change his password at first login. If this attribute is not set, then the password will never expire. "UNIX time format" (1) means exactly that time measured in seconds since 1970, and your results appears to be coherent with time measured in seconds. sambaPwdCanChange: 1183795200 sambaPwdLastSet: 1167638400 Your sambaPwdCanChange is 7 days (measured in seconds) beyond sambaPwdLastSet (thats is exactly the same result that pdbedit is showing). Passwords can be forced to change using smbldap-tools "smbldap-usermod -B 1 user" too. And as the docs say, users are forced to change their passwords when sambaPwdMustChange is set to 0. I don't know how your system used to be, but the docs says how it should behaves. 1. http://en.wikipedia.org/wiki/Unix_time Regards. Edmundo Valle Neto
In case anyone was following this thread, I finally did find the solution. Apparently you can no long expire a user's password by issuing the command: pdbedit --pwd-must-change-time... If you want to require a user to change their password at next login, you need to issue the command: net sam set pwdmustchangenow <username> yes This will ask the user to change their password the next time they attempt to login. The --pwd-must-change-time is actually reserved for the time when a password is set to expire by using policies (such as every 30 days, etc.). *Jason Baker */IT Coordinator/ *Glastender Inc.* 5400 North Michigan Road Saginaw, Michigan 48604 USA 800.748.0423 Phone: 989.752.4275 ext. 228 Fax: 989.752.4444 www.glastender.com <http://www.glastender.com> -----BEGIN GEEK CODE BLOCK----- Version: 3.1 GIT$ d- s: a C++$ LU+++$ P+ L++>L++++ !E--- W+++ N o? K? w !O M !V PS PE++ Y? PGP- t 5? X+ R+ tv+ b- DI-- D++ G e+ h--- r+++ y+++ ------END GEEK CODE BLOCK------ Jason Baker wrote:> I have been having some problems since I updated from Samba 3.0.23 to > 3.0.25b. I have installed the latest version of smbldap-tools but I am > still not able to make certain changes to a user's account. I have > created a new user named JROLFE. > After I set up a new user, I will set it so they are required to > change their password when they first login. I usually do this through > LDAP Account Manager. > I set User can change password to a date in the past and User must > change password to a date in the past. But for some reason it didn't > work. If I run pdbedit -Lv -u jrolfe, I get: > > Password last set: Mon, 01 Jan 2007 03:00:00 EST > Password can change: Mon, 08 Jan 2007 03:00:00 EST > Password must change: never > > If I run ../smbldap-usershow jrolfe, I get: > > sambaPwdCanChange: 1183795200 > sambaPwdLastSet: 1167638400 > sambaPwdMustChange: 1167638400 > > The unix times converted to english are: Sat, 07 Jul 2007 08:00:00 GMT > and Mon, 01 Jan 2007 08:00:00 GMT. So you can see that the dates do > not match between pdbedit and smbldap-tools. > This is really causing a problem because I am trying to set up a new > user and cannot get his password to expire.