[Samba] ppolicy overlay (WAS: Enforcing Password Policies...)
Andrew Bartlett
abartlet at samba.org
Mon Aug 13 01:11:56 GMT 2007
On Thu, 2007-08-09 at 00:56 +0200, Thierry Lacoste wrote:
> On Wednesday 08 August 2007 20:17, Matt Anderson wrote:
> > Dear Help,
> >
> > I'm currently running Samba with an LDAP passdb backend. I'm trying to
> > figure out how to NOT allow a particular user to change their password
> > (through Windows, or any interface). I've tried modifying the values for
> > sambaPwdCanChange and sambaPwdMustChange for a particular user, but it
> > seems like it only effects making them change their password, instead of
> > whether or not they're ALLOWED to.
> With OpenLDAP one can use
> ldap passwd sync = only
> in smb.conf and let the smbk5pwd overlay synchronize the LM and NT passwords.
>
> If you add the ppolicy overlay you have a clean way to prevent password
> changes for some acounts (through Windows, or any interface).
> For instance one can use a pwdPolicy with pwdAllowUserChange: FALSE
>
> The only problem is that a Windows client reports a successful password
> change even though the password was not changed because of the above
> pwdPolicy.
Was it not changed? To OpenLDAP, the change from Samba doesn't look
like a user change (because we set it using Samba's credentials).
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc. http://redhat.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20070813/2e2e901f/attachment.bin
More information about the samba
mailing list