[Samba] ppolicy overlay (WAS: Enforcing Password Policies...)

Andrew Bartlett abartlet at samba.org
Mon Aug 13 01:11:56 GMT 2007


On Thu, 2007-08-09 at 00:56 +0200, Thierry Lacoste wrote:
> On Wednesday 08 August 2007 20:17, Matt Anderson wrote:
> > Dear Help,
> >
> > I'm currently running Samba with an LDAP passdb backend.  I'm trying to
> > figure out how to NOT allow a particular user to change their password
> > (through Windows, or any interface).  I've tried modifying the values for
> > sambaPwdCanChange and sambaPwdMustChange for a particular user, but it
> > seems like it only effects making them change their password, instead of
> > whether or not they're ALLOWED to.
> With OpenLDAP one can use
>   ldap passwd sync = only
> in smb.conf  and let the smbk5pwd overlay synchronize the LM and NT passwords.
> 
> If you add the ppolicy overlay you have a clean way to prevent password
> changes for some acounts (through Windows, or any interface).
> For instance one can use a pwdPolicy with pwdAllowUserChange: FALSE
> 
> The only problem is that a Windows client reports a successful password
> change even though the password was not changed because of the above
> pwdPolicy.

Was it not changed?  To OpenLDAP, the change from Samba doesn't look
like a user change (because we set it using Samba's credentials).

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20070813/2e2e901f/attachment.bin


More information about the samba mailing list