password expiry changes with WEBMIN fail

Working on a customer site which has a strict password ageing policy for it's UNIX users and application logins; I came across a quirky issue.

The site has a group of operators, who monthly regularly change usernames on a set of UNIX systems using webmin; The problem is, is that whilst the operators seem to change the passwords, they fail, or at least the last changed fields in /etc/shadow is not being updated with the new value (namely the date the password was changed).

After a process of elimination and trawling through lines of code, the cause was a simple configuration issue:-

Each of the operators that use webmin to manage password expiry, have a unique file under /etc/webmin/useradmin, for example

# ls *acl
mchurchi.acl        swoods.acl        ttoms.acl

Within these file are a series of options, bu the one we are interested in is:

peopt=0

Here is the problem, according to the source code, if peopt is not equal to 1 then the webmin password change facility will not update the /etc/shadow, instead it will attempt to change /etc/passwd.

Eureka! In changing the option to the correct value resolved this issue all the operators.

peopt=1