[Samba] ppolicy overlay (WAS: Enforcing Password Policies...)

Thierry Lacoste lacoste at miage.univ-paris12.fr
Wed Aug 8 22:56:44 GMT 2007


On Wednesday 08 August 2007 20:17, Matt Anderson wrote:
> Dear Help,
>
> I'm currently running Samba with an LDAP passdb backend.  I'm trying to
> figure out how to NOT allow a particular user to change their password
> (through Windows, or any interface).  I've tried modifying the values for
> sambaPwdCanChange and sambaPwdMustChange for a particular user, but it
> seems like it only effects making them change their password, instead of
> whether or not they're ALLOWED to.
With OpenLDAP one can use
  ldap passwd sync = only
in smb.conf  and let the smbk5pwd overlay synchronize the LM and NT passwords.

If you add the ppolicy overlay you have a clean way to prevent password
changes for some acounts (through Windows, or any interface).
For instance one can use a pwdPolicy with pwdAllowUserChange: FALSE

The only problem is that a Windows client reports a successful password
change even though the password was not changed because of the above
pwdPolicy.

Regards,
Thierry.



More information about the samba mailing list