Preventing users from changing password

Patrick McCarty mccartyp at
Wed Jul 10 16:43:15 GMT 2002

>> I'm attempting to prevent our users from changing their passwords from
>> Windows XP specifically.
>> I've tried settings acctflags in LDAP to:
>> acctFlags: [UPX        ]
>> (P for cannot change password)
> There is no 'P' option.

I noticed that just after I wrote this message. =)

I got that info from something related to the samba-tng branch, which
has implemented the 'P' option.

Unfortunately, on further analysis, TNG's P option isnt what I was looking
for after all. The server simply checks that users ACL's to see whether
it is allowed to update the password for that user, not send a message to
the client that it is not allowed to change the password.

Nevertheless, if this is desired functionality (while not for myself) it
wouldnt be too difficult to apply this to Samba's HEAD tree, which I'm
willing to do if you think that this "feature" is a good thing.

>> and i've set:
>> pwdCanChange: 2147483647
>> pwdMustChange: 2147483647
>> Unfortunately, XP isn't honoring these fields.
>> What's the trick?
> Not supported in Samba yet.
> The 'user cannot change password' is implmented in NT as an ACL on the
> user.  We don't have ACL support for this yet - dicussions are just
> starting on a new SAM subsystem with such features.
> PasswordCanChange is also not yet implemented, but I'll take patches (to
> HEAD) to improve that support.

I'd be happy to hack on it a bit, however I'm unsure by what mechanism
(rpc call?) this is sent to the client. I'll look over the code some and
see what I can do.

Patrick McCarty
Video Technician
Azusa Pacific University

Logic is a systematic method of coming to the wrong conclusion with

More information about the samba-technical mailing list