On Sat, 2021-07-17 at 11:16 -0400, Philippe LeCavalier via samba wrote:> Anyone else?There are several things in play here, there is the default domain password expiry, which can be shown by running: samba-tool domain passwordsettings show You can force a user to change their password by resetting it with: samba-tool user setpassword User1 --newpassword=passw0rd --must-change- at-next-login There are a couple of attributes that need changing, userAccountControl and accountExpires If 'accountExpires' isn't set, then the password will expire on the day shown by the first samba-tool command above. A value of 0 or 9223372036854775807 indicates that the account never expires. You can set the password expiry with: samba-tool user setexpiry Add '--help' to the above command for more info. Rowland
Philippe LeCavalier
2021-Jul-18 13:56 UTC
[Samba] Password policy for user-managed passwords
Thank you Rowland. I appreciate you taking the time. On Sat, Jul 17, 2021, 11:49 Rowland Penny via samba <samba at lists.samba.org> wrote:> On Sat, 2021-07-17 at 11:16 -0400, Philippe LeCavalier via samba wrote: > > Anyone else? > > There are several things in play here, there is the default domain > password expiry, which can be shown by running: > > samba-tool domain passwordsettings show > > You can force a user to change their password by resetting it with: > > samba-tool user setpassword User1 --newpassword=passw0rd --must-change- > at-next-login> This implies I have to set a password that I would provide to them before > they can set a new one if I'm reading that correctly? How would I apply > that domain wide?> There are a couple of attributes that need changing, userAccountControl > and accountExpires > > If 'accountExpires' isn't set, then the password will expire on the day > shown by the first samba-tool command above. A value of 0 or > 9223372036854775807 indicates that the account never expires. > > You can set the password expiry with: > samba-tool user setexpiry> Yes. This is the setting I typically set to 0. > > Add '--help' to the above command for more info. > > Rowland> I'm still uncertain how I transition smoothly. If I set the password to > expire after 1 day will they be prompted to change it or will their account > be disabled per the wording for that option? If the first users to change > their password change it within a few hours but the others take a week > won't the ones that change it be forced to change every day untill the > slowest tell me they've completed the task and I can change the policy to > 60 or 90?Also, you mentioned 'userAccountControl' needed changing but you didn't> elaborate. >