[Samba] Enforcing Password Policies...

Thierry Lacoste lacoste at miage.univ-paris12.fr
Wed Aug 8 18:46:41 GMT 2007


On Wednesday 08 August 2007 20:17, Matt Anderson wrote:
> Dear Help,
>
> I'm currently running Samba with an LDAP passdb backend.  I'm trying to
> figure out how to NOT allow a particular user to change their password
> (through Windows, or any interface).  I've tried modifying the values for
> sambaPwdCanChange and sambaPwdMustChange for a particular user, but it
> seems like it only effects making them change their password, instead of
> whether or not they're ALLOWED to.
If you set sambaPwdCanChange in the future (e.g 1286597349 which corresponds
to Saturday, October 9th 2010, 4:09:09 (GMT)) the user can not change its
password until this date with windows.

The problem is that he can still modify its LDAP password.
You could add acls to your slapd.conf such that only your
ldap admin dn has write acces to the userPassword attribute.
In this case the only way to change the password is via samba.

HTH,
Thierry.



More information about the samba mailing list