-   Linux - Server (
-   -   Samba PDC + Openldap password policy (

guna_pmk 04-12-2011 08:59 AM

Samba PDC + Openldap password policy

This is my setup:

Samba server (samba3x) on CentOS 5.5
OpenLdap server (2.3) on CentOS 5.5
Using smbldaptool to add/configure users

I have been trying to figure out the password policy configuration; but getting confused by a lot of suggestions. Here is what I want:

1. Need a method to specify that the password set, will expire every, say, 45 days
2. Password must be of 8 characters long, minimum one uppercase, one numeric and one nonalphanumeric (in effect, the same rules when you reset your Linux password using passwd)
3. Users must be able to use the same password both from Windows and Linux; sufficient to change the password in one platform ie a password changed from one platform (Linux or Windows) must be available to the other platform.
4. If possible remind the user of password expiry through email.

Can somebody please direct me to the right direction?

Please let me know if you need more information in this regard.


guna_pmk 04-14-2011 05:18 AM


guna_pmk 06-28-2011 04:02 AM


bobbywan 11-03-2011 10:37 AM

Hi I'm trying to do the same thing, have you managed to figure it out ?


guna_pmk 11-04-2011 04:05 AM

Hi bobbywan,

Of all the four I figured out only the third point.

If you change the password on a Linux platform using 'passwd' it changes the password in the LDAP but only for the Linux platforms. On the other hand if you change the password from a Windows workstation, it changes password both for Windows and Linux. Using 'smbldap-passwd' command on a Linux machine, changes password both for Windows and Linux.

I have not figured out the rest. Though, I am not actively searching for them, I am still in need of them. I shall update this thread if I have found them out. Please do so if you figured the ways out to achieve them.


guna_pmk 01-09-2012 03:27 AM

Found out one more guys.

If you set the


obey pam restrictions = Yes
attribute in the [general] section in of smb.conf (and restart samba), samba will obey the pam password expiry (note that the users will immediately be denied access to samba resources and will be required to change their passwords, if the password has already expired on pam). To check the password expiry date of a user, issue


ldapsearch -x -b dc=example,dc=com "(uid=username)" | grep sambaPwdMustChange
This will display the password time in unix time stamp. To get the timestamp converted to a readable date issue


date -d @<timestamp>
I still have to figure out the password policy yet.


All times are GMT -5. The time now is 08:54 AM.