Philippe LeCavalier
2022-Jun-11 16:38 UTC
[Samba] Password Expiration setting and manually adjusting the date
On Fri, Jun 10, 2022, 03:16 Rowland Penny via samba <samba at lists.samba.org> wrote:> On Thu, 2022-06-09 at 17:24 -0400, Philippe LeCavalier via samba wrote: > > Just bringing this back to the surface. > > > > I have reread this thread and I think this is normal :-) > > Your user gets locked out because their password has expired. > You unlock the user and set their password expiration to three days. > Your user changes the password but this does not effect the expiry. > After three days they get locked out again. > > Rinse and repeat :-) > > You are going about this the wrong way, you need to remind them that > their password will expire before it does. > > Rowland> They are aware it will expire in 30 just as they are aware it will expire > after 3 (when I postpone it).So you're confirming that changing a password does not change the date for which the password is set to expire? In other words the only automatic or systematic change of password is at the 90 day anniversary (it whatever password settings show, which in my case is 90). This means when the user gets locked and I unlock i also need to set the password to expire in 90 not 3.>
Rowland Penny
2022-Jun-11 16:54 UTC
[Samba] Password Expiration setting and manually adjusting the date
On Sat, 2022-06-11 at 12:38 -0400, Philippe LeCavalier via samba wrote:> On Fri, Jun 10, 2022, 03:16 Rowland Penny via samba < > samba at lists.samba.org> > wrote: > > > On Thu, 2022-06-09 at 17:24 -0400, Philippe LeCavalier via samba > > wrote: > > > Just bringing this back to the surface. > > > > > > > I have reread this thread and I think this is normal :-) > > > > Your user gets locked out because their password has expired. > > You unlock the user and set their password expiration to three > > days. > > Your user changes the password but this does not effect the expiry. > > After three days they get locked out again. > > > > Rinse and repeat :-) > > > > You are going about this the wrong way, you need to remind them > > that > > their password will expire before it does. > > > > Rowland > > They are aware it will expire in 30 just as they are aware it will > > expire > > after 3 (when I postpone it). > > So you're confirming that changing a password does not change the > date for > which the password is set to expire? In other words the only > automatic or > systematic change of password is at the 90 day anniversary (it > whatever > password settings show, which in my case is 90). This means when the > user > gets locked and I unlock i also need to set the password to expire in > 90 > not 3.Possibly, I do not know how you are changing the password and setting the three days grace. I would change the password and make the user change it at next logon. If you are changing the password and then setting the expiry to three days hence, then that expiry date is very likely to be honoured. The only way to confirm this would be to examine a users object in AD after you change the password and set the three days grace and check for the contents of the 'maxPwdAge' attribute. There is also a constructed attribute: 'msDS-UserPasswordExpiryTimeComputed' Rowland