Re: [Samba] samba-ldap and password expiration

[Buchan Milne]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 Message: 11
 Date: Thu, 26 Jun 2003 15:20:14 +0200 (CEST)
 From:  J?r?me Tournier  [EMAIL PROTECTED]
 Subject: [Samba] samba-ldap and password expiration
 To: [EMAIL PROTECTED]
 Message-ID:
   [EMAIL PROTECTED]
 Content-Type: text/plain; charset=iso-8859-1

 Hello every body,
 i am using samba (2.2.8a) with ldap support. In the samba.schema,
 there are special attributes relatives to the user passord:
 pwdMustChange, pwdCanChange, kickoffTime, logoffTime, logonTime and
 pwdLastSet.
 All the samba's documentations i can found described those attributes
 as currently unused, execpt the last one that represent the time
 modification since 1970.
 But what do the others attributes are for ? Can they be used and
 how ?
 For example, i found that pwdMustChange can be used to force user to
 change his password. It seems that if i set pwdMustChange to epoch
 time+20, the user will have to change his password in 20s. And again
 in 20s ... So can i force a user to change his password in n secondes,
 but more later ?

The problem is that samba doesn't unexpire passwords, and it is
difficult to unexpire them via a script, since samba reads all the
attributes before a password change, runs which ever password change
mechanism you have if you are using password synchronisation (either pam
or passwd program), and then makes its changes in LDAP (overwriting any
samba attributes that may have been changed by passwd program).

It may be possible to store the password change times in a seperate
file, and post-process them via a cron job, but I haven't had time to
implement this.

AFAIK, samba3 will fully support password age/changing restrictions.

Regards,
Buchan

- --
|--Another happy Mandrake Club member--|
Buchan MilneMechanical Engineer, Network Manager
Cellphone * Work+27 82 472 2231 * +27 21 8828820x202
Stellenbosch Automotive Engineering http://www.cae.co.za
GPG Key   http://ranger.dnsalias.com/bgmilne.asc
1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE+/C5nrJK6UGDSBKcRAlgBAJ9C8VNxYi8CsE7ik7nTisvwr26H2wCglBY6
QgpdcUFbg+ZcSkVkDzjnRiM=
=wnyj
-END PGP SIGNATURE-

**
Please click on http://www.cae.co.za/disclaimer.htm to read our
e-mail disclaimer or send an e-mail to [EMAIL PROTECTED] for a copy.
**
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] samba-ldap and password expiration

[Jérôme Tournier]

Hello every body,
i am using samba (2.2.8a) with ldap support. In the samba.schema,
there are special attributes relatives to the user passord:
pwdMustChange, pwdCanChange, kickoffTime, logoffTime, logonTime and
pwdLastSet.
All the samba's documentations i can found described those attributes
as currently unused, execpt the last one that represent the time
modification since 1970.
But what do the others attributes are for ? Can they be used and
how ?
For example, i found that pwdMustChange can be used to force user to
change his password. It seems that if i set pwdMustChange to epoch
time+20, the user will have to change his password in 20s. And again
in 20s ... So can i force a user to change his password in n secondes,
but more later ?
Thanks a lot
-- 
Jérôme


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba