Philippe LeCavalier
2021-Jul-14 16:07 UTC
[Samba] Password policy for user-managed passwords
Hi, I'm moving away from managing passwords for my clients. I'm just trying to understand the specifics around expiration and how the user get prompted with an ADDC and how the simplest approach would look like. Thanks, Phil
Jonathon Reinhart
2021-Jul-15 02:08 UTC
[Samba] Password policy for user-managed passwords
On Wed, Jul 14, 2021 at 12:09 PM Philippe LeCavalier via samba <samba at lists.samba.org> wrote:> > Hi, > > I'm moving away from managing passwords for my clients.Better late than never. A sysadmin should never be responsible for setting passwords for users.> I'm just trying to > understand the specifics around expiration and how the user get prompted > with an ADDC and how the simplest approach would look like.If your clients are logging into domain-joined Windows workstations, then you have nothing to worry about. Windows will force the user to change their password before/when it expires. The same goes for most configurations of Linux workstations joined to the domain, also. If your client workstations are not domain-joined, you should really consider doing that. If you have an Active Directory domain, but your users aren't using interactive login, then what are you using the domain for? Just Samba share auth? If you really don't want to use interactive login, but still want to expire user passwords, I can offer a couple of tools that I wrote: 1) Diress (Directory Self-Service, pronounced "duress") -- A very simple web app allowing users to to change their password from a web browser. https://gitlab.com/JonathonReinhart/diress/ 2) ADMan (Active Directory Management) -- Automated AD administrative tasks. One of the things it can do is email users when their passwords are about to expire. https://gitlab.com/JonathonReinhart/adman Good luck, Jonathon
Hello: I am setting up a lab are samba4 AD + bind9. For now it works without problems. My idea is to join other Samba4 and I have doubts about Bind, I understand that each AD Samba4 that joins the domain will have its own bind_dlz. My question is, each bind will be independent and will take the information from its local Ad through dlz (and the dns synchronization will be in charge of samba)? or should I have a bind master and the others slave? as far as I understand the first option is the correct one, but please correct me if I'm wrong? Regards Marcos Negrini