Samba 3.0.25 appears to be ignoring the LDAP property sambaPwdMustChange. With the same LDAP backend and the same smb.conf file, setting sambaPwdMustChange to 1 for user prynhart with Samba 3.0.23d gives the correct answer of # pdbedit -u prynhart -L -v | grep 'Password must change' Password must change: Thu, 01 Jan 1970 12:00:01 NZST However, with Samba 3.0.25 get # pdbedit -u prynhart -L -v | grep 'Password must change' Password must change: Tue, 19 Jan 2038 16:14:07 NZDT I have Samba 3.0.23d and 3.0.25 installed "side-by-side" at /usr/local/samba-3.0.23d /usr/local/samba-3.0.25 To switch between versions I am using a symlink created from /usr/local/samba smb.conf for both versions is the same (and is a symlink to /etc/samba/smb.conf) Regards, Patrick
Created attachment 2715 [details] smb.conf
With 3.0.23d in the info3 structure I'm getting 000014 net_io_user_info3 0014 ptr_user_info : 00000000 0018 auth_resp : 00000001 001c status : NT_STATUS_PASSWORD_EXPIRED but with 3.0.25 000014 net_io_user_info3 0014 ptr_user_info : 00000001 000018 smb_io_time logon time 0018 low : 00000000 001c high: 00000000 000020 smb_io_time logoff time 0020 low : d4a5e980 0024 high: 01e9fd1e 000028 smb_io_time kickoff time 0028 low : d4a5e980 002c high: 01e9fd1e 000030 smb_io_time last set time 0030 low : d5d71680 0034 high: 019db1de 000038 smb_io_time can change time 0038 low : d5d71680 003c high: 019db1de 000040 smb_io_time must change time 0040 low : d4a5e980 0044 high: 01e9fd1e 000048 smb_io_unihdr hdr_user_name 0048 uni_str_len: 0010 004a uni_max_len: 0010 004c buffer : 00000001 000050 smb_io_unihdr hdr_full_name 0050 uni_str_len: 001e 0052 uni_max_len: 001e 0054 buffer : 00000001 000058 smb_io_unihdr hdr_logon_script 0058 uni_str_len: 0018 005a uni_max_len: 0018 005c buffer : 00000001 000060 smb_io_unihdr hdr_profile_path 0060 uni_str_len: 0000 0062 uni_max_len: 0000 0064 buffer : 00000000 000068 smb_io_unihdr hdr_home_dir 0068 uni_str_len: 0000 006a uni_max_len: 0000 006c buffer : 00000000 000070 smb_io_unihdr hdr_dir_drive 0070 uni_str_len: 0000 0072 uni_max_len: 0000 0074 buffer : 00000000 0078 logon_count : 0000 007a bad_pw_count : 0000 007c user_rid : 00018b0d 0080 group_rid : 00000201 0084 num_groups : 00000001 0088 buffer_groups : 00000001 008c user_flgs : 00000020
This is by design. We changed the must change semantics, now it is dynamically calculated based on last change + max password age account policy. You can set the max password age with net sam policy set "maximum password age" 30 Volker