Im using ldap as a backend and samba seems to be ignoring that field so a users password never expires. I dont think its normal behavior: [root@centos5 source]# smbldap-usershow dmarkey 2> /dev/null | grep sambaPwdMustChange sambaPwdMustChange: 1215634805 [root@centos5 source]# smbldap-usermod -B1 dmarkey [root@centos5 source]# smbldap-usershow dmarkey 2> /dev/null | grep sambaPwdMustChange sambaPwdMustChange: 0 [root@centos5 source]# su - dmarkey [dmarkey@centos5 ~]$ net user Password: root nobody dmarkey testtesttest A windows login also works. Centos52 OS.
I am seeing this here as well. My samba is 3.0.26a on suse linux enterprise server 9, sp3. Here is what I see: According to the documentation setting sambaPwdMustChange=0 should cause a "you are required to change your password" upon login. However, on my setup, it does NOT work. The user can log on, but is NOT asked to change his or her password. Then I tried using "net sam set pwdmustchangenow USERNAME yes" (which is I guess the native samba way of archiving this) and it DOES work, BUT: by setting: "sambaPwdLastSet=0" ! So it looks at sambaPwdLastSet=0 instead of sambaPwdMustChange=0 Here is what I see from an ldif: Before: dn: uid=heupink,ou=users,dc=intech,dc=unu,dc=edu sambaPwdMustChange: 2147... sambaPwdCanChange: 1195... sambaLMPassword: 1487... sambaNTPassword: F81D... -> sambaPwdLastSet: 1219... After "net sam set pwdmustchangenow heupink yes" dn: uid=heupink,ou=users,dc=intech,dc=unu,dc=edu sambaPwdMustChange: 2147... sambaPwdCanChange: 1195... sambaLMPassword: 1487... sambaNTPassword: F81D... -> sambaPwdLastSet: 0 When I logon I get the 'you are required to change your password' dialogue. After I change my password I see: dn: uid=heupink,ou=users,dc=intech,dc=unu,dc=edu sambaPwdMustChange: 2147... sambaPwdCanChange: 1195... sambaLMPassword: 0213... sambaNTPassword: EE9D... -> sambaPwdLastSet: 1223...
sambaPwdMustChange seems to have been phased out since 3.0.25(ish). Heimdal samba integration relies on it but i have submitted patched to hdb-ldap so it doesnt.