Thanks, thats usefull. However I've tested this on few machines and all accounts show -1

I've done a 'grep -i max_days /etc/login.defs' and this returns PASS_MAX_DAYS 42 as expected.

I wonder if the following is related:

(http://linux.about.com/library/cmd/blcmdl1_chage.htm)

"The chage program requires shadow password file to be available.

Its functionality is not available when passwords are stored in the passwd file."

There is a /etc/security/opasswd file in place on the servers - is that the same as a passwd file?

Just clarification, old accounts that you have before you executed esxcfg-auth should not have the new pass max value. You can either have -1 (never expires) or 99999. The once you issue the esxcfg-auth command, you should change old accts using chage. Here is an example

# chage jjjj

Changing the aging information for jjjj

Enter the new value, or press ENTER for the default

Minimum Password Age :

Maximum Password Age : 24

Last Password Change (YYYY-MM-DD) :

Password Expiration Warning :

Password Inactive :

Account Expiration Date (YYYY-MM-DD) :

#

#

# chage -l jjjj

Last password change : Oct 01, 2010

Password expires : Oct 25, 2010

Password inactive : never

Account expires : never

Minimum number of days between password change : 0

Maximum number of days between password change : 24

Number of days of warning before password expires : 7

ESX (classic) uses /etc/shadow and /etc/passwd, we don't use /etc/security/opasswd