[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Forcing new users to change their password on first login?

On 05/02/2010 01:43 PM, Petter Reinholdtsen wrote:
> One interesting feature in Active Directory, is the ability to create
> a new user with an expired password, and thus force the user to change
> the password on the first login attempt.
> I'm not quite sure how to do that with the LDAP setup in Debian Edu,
> but did some initial testing with a local account.  The account and
> password aging information is available in /etc/shadow, but
> unfortunately, it is not possible to specify an expiration time for
> passwords, only a maximum age for passwords.

Using kdm/ssh works nice if you only use ssh/kdm to log in. But if you
also use samba, either with windows/mac machines, or linux machine that
uses smbfs/cifs (laptops and others), you will get a problem, because
kdm/ssh (or more exactly /etc/pam.d/passwd) only changes the
unix-password, and not the samba password.

And to have the users have a 7 days period for changing the password
could be a bad idea, since many schools don't use the computers that
often. So the local admin would get a higher workload. The students
would experience that their account is locked, and will have to get a
new one either from the teacher or the local admin. and it would cause
that the students would use the system more seldom.

Reply to: