search for: pwdmustchang

Did anybody get to work password change enforcement with Samba PDC running LDAP ? It looks like it is "semi-working". I was able to enforce password change with USRMGR, but now it keeps asking me for the password change every time. I checked the pwdMustChange attribute and it is still set to 0 for some reason (hence checkbox for the password change enforcement in USRMGR is still checked and I am not able to unchek it). Is it known issue and I can't use USRMGR for that purpose ? TIA. P.S. I run Samba 2.2.5 -- Yuri Pismerov, Sr. System Administ...

Hello every body, i am using samba (2.2.8a) with ldap support. In the samba.schema, there are special attributes relatives to the user passord: pwdMustChange, pwdCanChange, kickoffTime, logoffTime, logonTime and pwdLastSet. All the samba's documentations i can found described those attributes as "currently unused", execpt the last one that represent the time modification since 1970. But what do the others attributes are for ? Can they be...

...am_ldap and nss_ldap (i can login in into my unix machine with the ldap users - and i can get the usernames for uid which belongs to ldap users). Also possible is it already for users to log into the PDC - but at the first login the get the message that the should change their passwords (because of pwdMustChange is 0 at the first login) - if they then are trying to change the password it won't work (server log: PANIC: failed to set gid). If the log in without changing the password - and then hit STRG-ALT-DEL - and alter the password then it works (why??). My guest account is smbguest - smbguest is in...

Sorry for posting twice but someone mentioned the ietf draft on the attribute ... The attribute that IBM uses for their password policy is described here : http://www.ietf.org/internet-drafts/draft-behera-ldap-password-policy-06.txt This might give problems with other ldap implementations in the future. I created also a bug report on this. I know that this is not really a bug but could make

...configured to use their "smbldap-passwd.pl" script to modify passwords. That worked, I could change any Windows account password from Windows or the command line and indeed all three passwords for that user are changed (Unix, LM and NT passwords). I later discovered the LDAP entry "pwdMustChange" while looking at a user account one day. When I set this to a date inside of 14 days from today, Windows begins to barks about "Password will expire in X days" - Great I thought I found my solution. But the default password change script wouldn't modify this value. So I modi...

...d chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated*successfully* I made my own bash script to sync ldap (posix) password while samba seems to handle samba (LANMAN AND NTHASH) password itself. The password change works very fine, but when i try to update the pwdMustChange to reset his value when a user changed his password, the pwdMustChange isn't modified like it should be. Again everything works very fine when running my script in shell mode. Here it is : ---------------------CUT HERE-------------------------------------------------- #!/bin/bash echo -n &q...

Hi, We are planning to move all of our win2k server (currenty around 50!) alongwith AD to Linux, we are planning to use LDAP based samba domain controllers for authentication and file/print serving. We are doing a pilot and things are fine till now, just one simple problem, what should we do with our password policy, we have three restrictions relating passwords minimum password length password

...tClass: sambaAccount acctFlags: [UX ] userPassword: {crypt}BpM2ej8Rkzogo uid: gcarter uidNumber: 9000 cn: Gerald Carter loginShell: /bin/bash logoffTime: 2147483647 gidNumber: 100 kickoffTime: 2147483647 pwdLastSet: 1010179230 rid: 19000 homeDirectory: /home/tashtego/gcarter pwdCanChange: 0 pwdMustChange: 2147483647 ntPassword: 878D8014606CDA29677A44EFA1353FC7 Where do I get: ntPassword pwdMustChange lmPassword pwdLastSet logonTime kickoffTime logoffTime rid ?? Thank you for any clues...I am ok with generating some of these values from clear passwords, just need to know how.... -- Terry Davis...

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi list, I'm on the way to implement samba with ldap on five servers (each owns a different nt-domain) and a master server which maintains the central user database which gets replicated to all the other servers. Now I have just one more problem, namely homedirs. I want every user to have a homedir to store for example his profile. This has to

I am updateding my LDAP presentation (ftp://kalamazoolinux.org/pub/pdf/ldapv3.pdf) to include a section on the Samba 2.2.x LDAP backend. But I can't find any definititive documentation on the "time" attributes: pwdLastChange, pwdMustChange. Either how the time is encoded or exactly what they mean. I've seen post saying they are hexidecimal (although they don't look it) and other saying they are UTC (but they don't match date+%s). Any pointers concerning this topic would be greatly appreciated.

Hi I have a PDC/BDC samba/ldap environment. PDC: samba 3.0.24 slapd 2.3.30 BDC: samba 3.2.5 slapd 2.4.11 Ldap replication is working fine, but I have noticed two issues 1- when a windows user change password on BDC, sambaPwdMustChange and sambaPwdCanChange is not synced on PDC (using ldap passwd sync = yes and unix password sync = no) 2- when using 'net sam set pwdmustchange' on PDC, sambaPwdCanChange is not synced on BDC Anyone can point me what's wrong? About issue 1- , I can use unix password sync = yes...

...unt objectClass: sambaAccount primaryGroupID: 2007 acctFlags: [DW ] uid: nomicro$ uidNumber: 1000 cn: nomicro$ loginShell: /bin/false logoffTime: 2147483647 gidNumber: 503 kickoffTime: 2147483647 pwdLastSet: 1053686926 rid: 3000 description: Computer homeDirectory: /dev/null pwdCanChange: 0 pwdMustChange: 2147483647 ntPassword: 4DA811CEF46834C8201960E47D39C07D samba log: [2003/05/23 12:48:48, 2] passdb/pdb_ldap.c:ldap_search_one_user(272) ldap_search_one_user: searching for:[(&(uid=nomicro$)(objectclass=sambaAccount))] [2003/05/23 12:48:48, 2] passdb/pdb_ldap.c:get_single_attribute(370)...

...g in, and though i can safely ignore the warning, it is annoying. how do i turn this feature off ? i modified my account-flags to be [UX ] (according to the Samba-LDAP-Howto, this should disable password-expiration), i played around with the "passwordLastSet"-option and i set "pwdMustChange" to 0 (which is mentioned in the ldap/samba-howto too) all with no effect at all. another question: how do i make my domain-users to become "Hauptbenutzer" (oh, this is german, i do think the proper translation is "power users") i guess it might be something as simple...

...r uidNumber: 1002 gidNumber: 200 homeDirectory: /home/administrator loginShell: /bin/bash gecos: User description: User objectClass: top objectClass: account objectClass: posixAccount objectClass: sambaAccount pwdLastSet: 0 logonTime: 0 logoffTime: 2147483647 kickoffTime: 2147483647 pwdCanChange: 0 pwdMustChange: 2147483647 displayName: User acctFlags: [UX] rid: 3004 primaryGroupID: 1401 homeDrive: H: smbHome: \\PDC-SRV\homes profilePath: \\PDC-SRV\profiles\administrator scriptPath: administrator.cmd lmPassword: D97250ED40513A79AAD3B435B51404EE ntPassword: 0386FBABCB8CF77E41C061AEA00E95A4 userPassword: {S...

...: [uid] = [ldapuser] Entry found for user: ldapuser get_single_attribute: [pwdLastSet] = [0] get_single_attribute: [logonTime] = [0] get_single_attribute: [logoffTime] = [2147483647] get_single_attribute: [kickoffTime] = [2147483647] get_single_attribute: [pwdCanChange] = [0] get_single_attribute: [pwdMustChange] = [2147483647] get_single_attribute: [cn] = [ldapuser] get_single_attribute: [homeDrive] = [H:] get_single_attribute: [smbHome] = [\\KS\home] get_single_attribute: [scriptPath] = [ldapuser.cmd] get_single_attribute: [profilePath] = [\\KS\profiles\ldapuser] get_single_attribute: [description] = [S...

...by 'smbldap-usershow.pl'. I want the users to be able to change their own passwords - at any time - is there something I did wrong when creating the user account? 3). I want every user's password to expire on a 90-cycle. I think I see a slot in the LDAP directory for such an option - pwdMustChange, but by default is set to a huge number - 2147483647. First, what number does that represent? Seconds? Minutes? Days? Months? I've watched it for the past week and it hasn't changed. Which leads me to my next question, will changing this number to "O" actually cause the respe...

All of my users are defined in LDAP. The Samba server is configured as a PDC and all the users can change their passwords. The problem i have is when i change the following field in the ldap tree : PwdMustChange set to 0 in order the have them to change their passwords. At this point the client workstation replies : The system cannot change your password now because the domain dc_stgeorges is not available. Weird ?? Coz the users can change their passwords later during their session by pressing ctrl-alt...

...DQ== homedrive:: SDoN logofftime:: MjE0NzQ4MzY0Nw0= gidnumber:: MTAwDQ== kickofftime:: MjE0NzQ4MzY0Nw0= pwdlastset:: MA0= rid:: MzAwMg0= gecos:: U3lzdGVtIFVzZXIN homedirectory:: L3JzcnYvZGF0YTEvaG9tZS9zcHUN pwdcanchange:: MjE0NzQ4MzY0Nw0= profilepath:: XFxBRE1JTjAxXHByb2ZpbGVzXHNwdQ0= sn:: c3B1DQ== pwdmustchange:: MjE0NzQ4MzY0Nw0= ntpassword:: QzEwQ0Q1NDBGMjc2MUFGQzExRkFERjdEQUVERUQ0MjEN -------------- next part -------------- dn: ou=users, dc=toto,dc=be ou: users description: utilisateurs corman objectClass: top objectClass: organizationalUnit dn: uid=spu, ou=users, dc=toto,dc=be logonTime: 0 displayNam...

...uidNumber: 0 gidNumber: 0 homeDirectory: /home/root loginShell: /bin/bash gecos: root shadowLastChange: 0 shadowMax: 0 shadowWarning: 0 userPassword: {SSHA}GN3hrCs7c8Kgd93df23838hHH uid: root pwdLastSet: 1057974221 logonTime: 0 logoffTime: 2147483647 kickoffTime: 2147483647 pwdCanChange: 2147483647 pwdMustChange: 2147483647 displayName: root cn: root smbHome: \\MY_PDC\homes homeDrive: Z: scriptPath: logon.cmd profilePath: \\MT-PDC\profiles\root rid: 1000 primaryGroupID: 1001 lmPassword: 639C041927C79D99AAEJKHRJFHKRJKL ntPassword: 6E1766AB79DDFHGJDHFJJHBJFHBJRHR acctFlags: [UX ] The machine name...

...15,dc=bbs1-emden,dc=schule objectClass: posixAccount objectClass: sambaAccount objectClass: account objectClass: mailRecipient gidNumber: 500 loginShell: /bin/false description: schueler uid: fg13z-15 pwdLastSet: 1028701166 logonTime: 0 logoffTime: 2147483647 kickoffTime: 2147483647 pwdCanChange: 0 pwdMustChange: 2147483647 displayName: fg13z-15 cn: fg13z-15 rid: 3436 primaryGroupID: 2001 acctFlags: [UX ] uidNumber: 5258 mail: fg13z-15@lb-bbs1.emd.ni.schule.de mailLocalAddress: fg13z-15@fileserver.bbs1-emden.schule mailDeliveryOption: accept homeDirectory: /home/schueler/fg13z-15 homeDrive: P: smb...