samba - Jul 2011 - Password Resets as root

I've got a cluster of Samba servers with security=user and a ctdb passdb 
backend.  I need to keep the passwords for the users in sync with another 
system, which will pass me userid and password for each change and reset. 
My question is what is the simplest way to do the password reset for a 
user as root on one of the Samba servers.  I need to allow the user to 
change their password immediately after reset despite the presence of a 
minimum password age policy in the case of reset.  It seems windows does 
this by setting one of the password time fields to 0 to mean "password 
must change at next login" for this case.  If I use "smbpasswd
-s" as root
the password is changed as I want, but the user cannot change the password 
until the next day.  I didn't see a way to set this flag via any of the 
Samba tools as root.

I was able to get this working via rpcclient by mimicking an admin 
password reset from a Windows machine, but this required having access to 
the password for an admin account available to the automation. 

I ended up patching pdbedit to add a new option "  -Y, --pw-must-change    
     set password must change flag" and call this after setting the pw. 
Does anyone know if there is another way to accomplish this so I don't 
have to patch Samba at each release?  If there is no way with the current 
tools would a patch be accepted to add this?

Thanks,

John Janosik
jpjanosi at us.ibm.com

On Mon, Jul 11, 2011 at 10:45:21AM -0500, John P Janosik
wrote:
> I've got a cluster of Samba servers with security=user and a ctdb
passdb
> backend.  I need to keep the passwords for the users in sync with another 
> system, which will pass me userid and password for each change and reset. 
> My question is what is the simplest way to do the password reset for a 
> user as root on one of the Samba servers.  I need to allow the user to 
> change their password immediately after reset despite the presence of a 
> minimum password age policy in the case of reset.  It seems windows does 
> this by setting one of the password time fields to 0 to mean "password
> must change at next login" for this case.  If I use "smbpasswd
-s" as root
> the password is changed as I want, but the user cannot change the password 
> until the next day.  I didn't see a way to set this flag via any of the
> Samba tools as root.
> 
> I was able to get this working via rpcclient by mimicking an admin 
> password reset from a Windows machine, but this required having access to 
> the password for an admin account available to the automation. 
> 
> I ended up patching pdbedit to add a new option "  -Y,
--pw-must-change
>      set password must change flag" and call this after setting the
pw.
> Does anyone know if there is another way to accomplish this so I don't 
> have to patch Samba at each release?  If there is no way with the current 
> tools would a patch be accepted to add this?
First, such a patch would be appreciated, although pdbedit
is a bit deprecated. Try "net sam set pwdmustchangenow".

Volker

-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 G?ttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG G?ttingen, HRB 2816, GF: Dr. Johannes Loxen