[Samba] ppolicy overlay (WAS: Enforcing Password Policies...)
Thierry Lacoste
lacoste at miage.univ-paris12.fr
Wed Aug 8 22:56:44 GMT 2007
On Wednesday 08 August 2007 20:17, Matt Anderson wrote:
> Dear Help,
>
> I'm currently running Samba with an LDAP passdb backend. I'm trying to
> figure out how to NOT allow a particular user to change their password
> (through Windows, or any interface). I've tried modifying the values for
> sambaPwdCanChange and sambaPwdMustChange for a particular user, but it
> seems like it only effects making them change their password, instead of
> whether or not they're ALLOWED to.
With OpenLDAP one can use
ldap passwd sync = only
in smb.conf and let the smbk5pwd overlay synchronize the LM and NT passwords.
If you add the ppolicy overlay you have a clean way to prevent password
changes for some acounts (through Windows, or any interface).
For instance one can use a pwdPolicy with pwdAllowUserChange: FALSE
The only problem is that a Windows client reports a successful password
change even though the password was not changed because of the above
pwdPolicy.
Regards,
Thierry.
More information about the samba
mailing list