The Samba-Bugzilla – Bug 4682
sambaPwdLastSet is changed, instead of sambaPwdMustChange
Last modified: 2007-07-24 14:14:08 UTC
I'm using a SuSE 10.0 OSS box; samba 3.0.25a; ldapsam.
When a check "User must change password at next logon" in Microsoft's User Manager, instead of getting a sambaPwdMustChange:0 in ldap, I get sambaPwdLastSet: 0
Thanks for any help!
I am afraid that this is intentionally
(The Error that is returned when a user who has sambaPwdMustChange==0 tries
to connect also is NT_STATUS_PASSWORD_MUST_CHANGE), but besides misusing an
attribute for something different from what the name implies this change
may hav pretty dramatic side effectss (see Bug 4811)
This is not the result of misusing an attribute, it is the result of ending up with a schema that was created from a misunderstanding of how the SAM worked. I would argue that havein sambaPwdMustChange of 0 should mean the exact _opposite_ of what you expect it to mean.
If you examine the user info levels that windows uses to express the user definitions, the PasswordLastSetTime value is set to 0 by User manager when the user checks this box. We are passing on the way windows behaves. The PasswordMustChangeTime is _calculated_ from the policy, and is not part of the SAM.