Philippe LeCavalier
2021-Jul-17 15:16 UTC
[Samba] Password policy for user-managed passwords
Anyone else? On Thu, Jul 15, 2021, 04:28 Philippe LeCavalier <support at plecavalier.com> wrote:> On Wed, Jul 14, 2021 at 10:09 PM Jonathon Reinhart < > jonathon.reinhart at gmail.com> wrote: > >> On Wed, Jul 14, 2021 at 12:09 PM Philippe LeCavalier via samba >> <samba at lists.samba.org> wrote: >> > >> > Hi, >> > >> > I'm moving away from managing passwords for my clients. >> >> Better late than never. A sysadmin should never be responsible for >> setting passwords for users. >> > That's an opinion. > >> >> If your clients are logging into domain-joined Windows workstations, >> then you have nothing to worry about. Windows will force the user to >> change their password before/when it expires. The same goes for most >> configurations of Linux workstations joined to the domain, also. >> >> If your client workstations are not domain-joined, you should really >> consider doing that. >> >> If you have an Active Directory domain, but your users aren't using >> interactive login, then what are you using the domain for? Just Samba >> share auth? >> > They are domain-joined and interactive login is there but the expiration > isn't set or is set to 0, that's all. So as my initial question: do I > simply set the expiration to the desired cycle, say 60 days? And if I don't > want to wait 60 days for the first reset, what's the best approach? Thanks, > Phil >
On Sat, 2021-07-17 at 11:16 -0400, Philippe LeCavalier via samba wrote:> Anyone else?There are several things in play here, there is the default domain password expiry, which can be shown by running: samba-tool domain passwordsettings show You can force a user to change their password by resetting it with: samba-tool user setpassword User1 --newpassword=passw0rd --must-change- at-next-login There are a couple of attributes that need changing, userAccountControl and accountExpires If 'accountExpires' isn't set, then the password will expire on the day shown by the first samba-tool command above. A value of 0 or 9223372036854775807 indicates that the account never expires. You can set the password expiry with: samba-tool user setexpiry Add '--help' to the above command for more info. Rowland