I would like to create user accounts, and enforce the password to be changed at next logon, after assigning a default password.

How is this done, and is there any way it can be done over Samba?

Thanks.

Well, there are two sets of passwords involved: the system password file, and the SAMBA password file.

As for the system password file, the direct way of setting expirations is by editing the password entry in /etc/shadow.

I haven't done it myself, so let me quote:


The ``/etc/shadow'' file contains password and account expiration information for users, and looks like this:

smithj:Ep6mckrOLChF.:10063:0:99999:7:::

As with the passwd file, each field in the shadow file is also separated with ?:? colon characters, and are as follows:

Username, up to 8 characters. Case-sensitive, usually all lowercase. A direct match to the username in the /etc/passwd file.

Password, 13 character encrypted. A blank entry (eg. : :) indicates a password is not required to log in (usually a bad idea), and a ``*'' entry (eg. :* :) indicates the account has been disabled.

The number of days (since January 1, 1970) since the password was last changed.

The number of days before password may be changed (0 indicates it may be changed at any time)

The number of days after which password must be changed (99999 indicates user can keep his or her password unchanged for many, many years)

The number of days to warn user of an expiring password (7 for a full week)

The number of days after password expires that account is disabled

The number of days since January 1, 1970 that an account has been disabled

A reserved field for possible future use


That's somewhat complex, so I'm sure tools have been written to help out, but I wouldn't know.

You should also check out the files under /etc/pam.d for further password stuff.

Users logging in via telnet or at the terminal should get a warning when their password is about to expire, and should be able to change it with the passwd command.

Now, the Samba password file is a differenet issue. Samba might have some way to use the system password file instead of keeping its own user database (yes, I know there's a utility to convert the entire system database to a samba password database, but that's not the same thing), so both passwords will have to be changed. I don't know of any ways offhand for users to change their own Samba passwords, or to expire Samba passwords, but I'd start by checking the Samba website and documentation.