I've got a file server (named success) running Samba version 3.0.10-1.4E.
I've also got another file server (named happiness) running Samba version
3.3.15 and LDAP.
I've got success pointed to happiness for LDAP in the smb.conf, and running
a "pdbedit -v user" works, it shows the proper information...except for the
password must expire, it seemingly ignores the policy that is set on
success, for example:
[root@success]# pdbedit -P "maximum password age"
account policy value for maximum password age is 90
yet..:
[root@success]# pdbedit -v "user"
Password last set: Tue, 31 May 2011 12:54:11 GMT
Password can change: Tue, 07 Dec 2010 09:05:25 GMT
*Password must change: Mon, 07 Mar 2011 09:05:25 GMT*
Last bad password : 0
Bad password count : 0
should the Password must change not be 90 days after the Password last set?
If I do the same command on happiness (the one that runs ldap as well) it
outputs as expected.
I've been stuck at this forever, am I missing something VERY obvious?
Thanks for any help!
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
At one time I used pdbedit to force a password change and that stopped
working. Apparently it was deprecated in favor of "net sam set
pwdmustchangenow". I'm guessing the same thing happened to maximum
password age. Try using "net sam policy set maximum password age"
instead.
Chris
He is using an ancient version of samba (3.0.10-1.4E) though so the
depreciation probably does not apply.
John
"net sam set pwdmustchangenow" was first introduced at Samba 3.0.25.
From: Chris Beach <chr...@pintys.com>
Date: Fri, 1 Jul 2011 19:57:26 -0400
> I've got a file server (named success) running Samba version
> 3.0.10-1.4E. I've also got another file server (named happiness)
> running Samba version 3.3.15 and LDAP.
> I've got success pointed to happiness for LDAP in the smb.conf, and
> running a "pdbedit -v user" works, it shows the proper
> information...except for the password must expire, it seemingly
> ignores the policy that is set on success, ...
> [root@success]# pdbedit -P "maximum password age"
> account policy value for maximum password age is 90
The account policies in which "maximum password age" is included were
always stored at local account_policy.tdb before Samba 3.0.21. After
Samba 3.0.21, these are stored at LDAP when LDAP is used as passdb.
That's the problem, I think.
---
TAKAHASHI Motonobu <mo...@samba.gr.jp>
Thanks. Missed that sorta - wasn't going to dig through the changelog
back to the stone ages.
So my problem still stands, pdbedit -P "maximum password age" shows 90 days,
as far as that is concerned it's correct, but for whatever reason, it's not
adding that 90 days from the "password last set" date to get the "password
must change" field, so most accounts are locked out, because the "password
must change" date is older then the "password last set" date... there must
be some config or setting on the server somewhere causing this, I just
haven't a clue where (I've looked quite a lot).
I'm not sure what Z stands for, but is there a way I could go about
correcting this, or is my only option to update samba on the server
(success) so it will corectly report the password policy of the LDAP server
it is using?
Thanks for all the help.
> I'm not sure what Z stands for, but is there a way I could go about
> correcting this, or is my only option to update samba on the server
> (success) so it will corectly report the password policy of the LDAP server
> it is using?
>
> Thanks for all the help.
AFAIK, you need to upgrade Samba on success at least to 3.0.21, as I said:
> The account policies in which "maximum password age" is included were
> always stored at local account_policy.tdb before Samba 3.0.21. After
> Samba 3.0.21, these are stored at LDAP when LDAP is used as passdb.
---