bugsmbldap-tools - Bugs: bug #10148, smbldap-usermod sets wrong samba...

Show feedback again

You are not allowed to post comments on this tracker with your current authentification level.

bug #10148: smbldap-usermod sets wrong samba password modify time

Submitted by:  Alain D D Williams <addw>
Submitted on:  Mon Oct 15 14:49:32 2007  
Category: NoneSeverity: 5 - Blocker
Priority: 5 - NormalStatus: Invalid
Privacy: PublicAssigned to: None
Open/Closed: Open

Mon Mar 5 14:25:38 2012, comment #3:

I think smbldap-usermod is correct.

FYI: Samba 3.0.25 and later ignores sambaPwdMustChange attribute.

SATOH Fumiyasu <fumiyas>
Project Member
Fri Feb 15 17:30:34 2008, comment #2:

Well, --sambaExpire update the sambakickoffTime, as Windows does. In fact, i based myself on what the servtools done: in user manager (usrmgr.exe), when setting an expiration date to the account, sambakickoffTime is updated, not sambaPwdMustChange. But maybe i'm wrong. If you have any links to help me...

Tournier Jerome <jtournier>
Project Administrator
Thu Dec 20 17:53:33 2007, comment #1:

I guess the explanation given by smbldap-tools isn't entirely clear, but as I understand it the expire option refers to account expiration--not password. This is why it sets kickoffTime: after that point they can no longer use the account.

In fact there already is a way to modify sambaPwdMustChange:
-B|--sambaPwdMustChange must change password ? 0 if no, 1 if yes

Clearly it does not take a date, but if something should be changed it would seem to be that.

It may also be worth nothing that smbldap-passwd appears to behave correctly by setting sambaPwdMustChange to $date+$config{defaultMaxPasswordAge}*24*60*60 after a password change as one would expect, assuming defaultMaxPasswordAge is set.

Andy Clayton <clayton>
Mon Oct 15 14:49:32 2007, original submission:

If I run: smbldap-usermod --sambaExpire '2009-10-11 01:01:02' it modified the LDAP attribute sambakickoffTime, this appears to be wrong it should be instead the attribute sambaPwdMustChange, or that attribute as well.

This involves changing near line 472 in smbldap-tools version 0.9.4

When I do this the users no longer get warnings about their passwords about to exire.

I have not sumbitted this as a patch since I don't understand the ldap schema and so am not sure that this is the correct thing to do. "It works for me" is not the best basis for a patch.

Alain D D Williams <addw>


No files currently attached


Depends on the following items: None found

Items that depend on this one: None found


Carbon-Copy List
  • -unavailable- added by fumiyas (Posted a comment)
  • -unavailable- added by jtournier (Posted a comment)
  • -unavailable- added by clayton (Posted a comment)
  • -unavailable- added by addw (Submitted the item)
  • -unavailable- added by addw

    Do you think this task is very important?
    If so, you can click here to add your encouragement to it.
    This task has 0 encouragements so far.

    Only logged-in users can vote.


    Error: not logged in



    Follow 3 latest changes.

    Date Changed By Updated Field Previous Value => Replaced By
    Mon Mar 5 14:25:38 2012fumiyasStatusNeed Info=>Invalid
    Fri Feb 15 17:31:07 2008jtournierStatusNone=>Need Info
    Mon Oct 15 14:49:32 2007addwCarbon-Copy-=>Added addw
    Show feedback again

    Back to the top

    Powered by Savane 3.1-cleanup