Gareth Kirwan skrev, on 09-10-2007 10:01:
> I am successfully changing a password using chauthtok.
>
> However this does not cause shadowlastchange to be updated.
>
> passwd works and changes the date correctly.
> I've looked at the source of passwd.c and I can't see anything obvious
> that achieves it there that's done differently.
> do_pam_passwd is called, which effectively just does:
> ret = pam_chauthtok (pamh, flags);
>
> What am I missing that might affect this?
> Is pam_chauthtok responsible for updating, or delegating the updating,
> of the shadowlastchange?
> I figure it must be, since that's all passwd calls (it exits aferward
> do_pam_passwd).
Dunno if this helps, it might be overkill. Moreover, you might not be
using OpenLDAP.
The RHEL5 site with 1150+ users that I OpenLDAP-manage has always had
the policy that users new get apg-generated passwords from admin every
so often. Recently it was decreed that users were to be forced to change
their own passwords according to a strict policy. Most Users are also
Windows (Samba) users and their login and password has to be valid for
all services on Linux or Windows.
I taught myself OpenLDAP's ppolicy, which does much more than you want,
and with the smbk5pwd module included in th OL 2.3.recent contrib
section it syncs Samba passwords. It certainly updates shadowlastchange.
--Tonni
--
Tony Earnshaw
Email: tonni at hetnet dot nl
