search for: ads_uf_dont_expire_passwd

On Tue, 16 Jan 2018 16:21:31 +0100 Marco Gaiarin via samba <samba at lists.samba.org> wrote: > Mandi! Arnaud FLORENT via samba > In chel di` si favelave... > > > the UserAccountControl flag "PASSWD_CANT_CHANGE" can not be set via > > ldap > > No, it is not true. You have 'simply'' to OR 0x00010000 > userAccountControl attribute, eg:

In my current ''production'' NT-like domain (samba 4.2, OpenLDAP backend), password policies seems to ''get written'' to user data. EG, if i set: pdbedit -P "maximum password age" -C 7776000 and i change my password, 'Password must change' have a meningful value, eg 90 days more then the last password change: root at armitage:~# pdbedit -v

....] Account Flags: [UX ] [...] root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b 'DC=ad,DC=fvg,DC=lnf,DC=it' '(cn=gaio)' | grep '^userAccountControl:' | cut -d ' ' -f 2 66048 so again 0x200 + 0x10000, ADS_UF_NORMAL_ACCOUNT && ADS_UF_DONT_EXPIRE_PASSWD. So, seems to me that 'pdbedit' is still a useful and coherent tool to set account flags. With these experiments, i split my question in two part: 1) considering that 'accountExpires' probably is here for other things (eg, setting an account expiration ''per se'...

...] > [...] > root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b > 'DC=ad,DC=fvg,DC=lnf,DC=it' '(cn=gaio)' | grep '^userAccountControl:' > | cut -d ' ' -f 2 66048 > > so again 0x200 + 0x10000, ADS_UF_NORMAL_ACCOUNT && > ADS_UF_DONT_EXPIRE_PASSWD. > > So, seems to me that 'pdbedit' is still a useful and coherent tool to > set account flags. > > > > With these experiments, i split my question in two part: > > > 1) considering that 'accountExpires' probably is here for other things > (eg...