samba - Feb 2009 - Howto force all users of a samba domain controller to change their password ?

Hi !
I'still running a samba domain controller on a rhel 5 machine, so it is 
version samba-3.0.33-3.7.el5. Users and accounts are still stored in a ldap 
database and everything works fine.
Now that my setup is complete, I'd like to 
- force every user of the domain to change their password the next time they 
open a session on their workstation
- be sure that the password is complex enough
- have it that they don't put the same password as the old one.
I've read many a thing about those topics, and tryed many things, but so far
I
haven't found anything very usefull.
Somewhere I've read that there were modifications to be done using pdbedit
so
as to set the next time the password must be changed. I've tryed on my 
account, it doesn't work as I expected it to do : the password is valid for 
the time passed as an argument, and that's not what I want.
Next, I've read about a cracklib-checker that can be called via the smb.conf
file, but I don't have this cracklib-checker installed on my system, and I 
don't really know where to find it.
Thanks in advance for any help provided.


P.S. I've searched the docs on samba.org, but I haven't found anything 
relevant, and searching the web with "samba force user change
password" gives
many results that don't cover what I'm searching for.

On Tuesday 17 February 2009 11:33:19 BOURIAUD wrote:
> Hi !
> I'still running a samba domain controller on a rhel 5 machine, so it is
> version samba-3.0.33-3.7.el5. Users and accounts are still stored in a ldap
> database and everything works fine.
> Now that my setup is complete, I'd like to
> - force every user of the domain to change their password the next time
> they open a session on their workstation
> - be sure that the password is complex enough
> - have it that they don't put the same password as the old one.
> I've read many a thing about those topics, and tryed many things, but
so
> far I haven't found anything very usefull.
> Somewhere I've read that there were modifications to be done using
pdbedit
> so as to set the next time the password must be changed. I've tryed on
my
> account, it doesn't work as I expected it to do : the password is valid
for
> the time passed as an argument, and that's not what I want.
> Next, I've read about a cracklib-checker that can be called via the
> smb.conf file, but I don't have this cracklib-checker installed on my
> system, and I don't really know where to find it.
> Thanks in advance for any help provided.
>
>
> P.S. I've searched the docs on samba.org, but I haven't found
anything
> relevant, and searching the web with "samba force user change
password"
> gives many results that don't cover what I'm searching for.
Since I got no answer, does it means that there is no possibility to force all 
users to change their password the next time they will connect to the domain ?

> Since I got no answer, does it means that there is no possibility to force
all
> users to change their password the next time they will connect to the
domain ?
>   
It is possible, at least with LDAP. Now, I need to find a way to explain 
how. I am in a hurry now. I will try to come back with some answer.

Meanwhile, get Windows NT4 "User Manager" (it comes with "Server
Tools")
and look at what it offers you.

http://download.microsoft.com/download/winntwks40/utility/7/nt4/en-us/srvtools.exe

Ldap Account Manager (LAM) is a web interface to LDAP.

With it, you can define Minimum password length, Minimum lowercase 
characters, Minimum uppercase characters, Minimum numeric characters, 
Minimum symbolic characters, Minimum character classes, etc.

http://lam.sourceforge.net/

> Ldap Account Manager (LAM) is a web interface to LDAP.
>
> With it, you can define Minimum password length, Minimum lowercase
> characters, Minimum uppercase characters, Minimum numeric characters,
> Minimum symbolic characters, Minimum character classes, etc.
>
> http://lam.sourceforge.net/
>
I use that all the time to manage my samba / linux domain and I recommend it.

John