Hi, You almost got it...
Samba 2 has a weird behaviour, when using LDAP and passwd program. When you change the password from windows, thnings happen like this: 1) samba reads all the user data from LDAP to memory (doesn't read userpassword) 2) executes the "passwd program" to change userpassword. I this point your script also sets the new "pwdMustChange" valus. 3) things get tricky here, when samba writes back all the data, he got from LDAP earlier and changes password hashes. So if your script changes the "pwdMustChange" value, samba puts it back as it was before :P Workaround is to modify pdb_ldap.c and teach samba not to write back "pwdMustChange". It can be achieved with commenting out 2 lines. When samba3 calculates new "pwdMustChange" based on policy. In samba2 you must do it with scripts. btw, your perl script is way too complex. I attached one my e-mail sent to samba-technical ages ago, where this trick is described. Best regards, Rauno Tuul. -----Original Message----- From: Collins, Kevin [mailto:[EMAIL PROTECTED] I've got a Samba 2.2.7a domain with an LDAP backend. It's been working for nearly 3 months now without much bother. By the way: Great work and thanks for all of the effort! I have been missing one minor thing from the setup since I moved away from NT 4: Password Expiration. In the past I have posted questions about this on the list and I've gotten two answers: "Wait for 3." or "Write your own script to do it for you." Well, I sorta went the second route. By "sorta" I mean that I modified a pre-existing script to make it do what I wanted it to. What I did was this...I started with IDEALX's howto and scripts to get things going. I had Samba configured to use their "smbldap-passwd.pl" script to modify passwords. That worked, I could change any Windows account password from Windows or the command line and indeed all three passwords for that user are changed (Unix, LM and NT passwords). I later discovered the LDAP entry "pwdMustChange" while looking at a user account one day. When I set this to a date inside of 14 days from today, Windows begins to barks about "Password will expire in X days" - Great I thought I found my solution. But the default password change script wouldn't modify this value., but I would prefer not to as they seem to work so well. .................
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
