password expiry changes with WEBMIN fail
Working on a customer site which has a strict password ageing policy for it's UNIX users and application logins; I came across a quirky issue.
The site has a group of operators, who monthly regularly change usernames on a set of UNIX systems using webmin; The problem is, is that whilst the operators seem to change the passwords, they fail, or at least the last changed fields in /etc/shadow is not being updated with the new value (namely the date the password was changed).
After a process of elimination and trawling through lines of code, the cause was a simple configuration issue:-
Each of the operators that use webmin to manage password expiry, have a unique file under /etc/webmin/useradmin, for example
# ls *acl mchurchi.acl swoods.acl ttoms.acl
Within these file are a series of options, bu the one we are interested in is:
peopt=0
Here is the problem, according to the source code, if peopt is not equal to 1 then the webmin password change facility will not update the /etc/shadow, instead it will attempt to change /etc/passwd.
Eureka! In changing the option to the correct value resolved this issue all the operators.
peopt=1