[Samba] ppolicy overlay (WAS: Enforcing Password Policies...)

Thierry Lacoste lacoste at miage.univ-paris12.fr
Mon Aug 13 11:14:25 GMT 2007


On Monday 13 August 2007 03:11, Andrew Bartlett wrote:
> On Thu, 2007-08-09 at 00:56 +0200, Thierry Lacoste wrote:
> > On Wednesday 08 August 2007 20:17, Matt Anderson wrote:
> > > Dear Help,
> > >
> > > I'm currently running Samba with an LDAP passdb backend.  I'm trying to
> > > figure out how to NOT allow a particular user to change their password
> > > (through Windows, or any interface).  I've tried modifying the values
> > > for sambaPwdCanChange and sambaPwdMustChange for a particular user, but
> > > it seems like it only effects making them change their password,
> > > instead of whether or not they're ALLOWED to.
> >
> > With OpenLDAP one can use
> >   ldap passwd sync = only
> > in smb.conf  and let the smbk5pwd overlay synchronize the LM and NT
> > passwords.
> >
> > If you add the ppolicy overlay you have a clean way to prevent password
> > changes for some acounts (through Windows, or any interface).
> > For instance one can use a pwdPolicy with pwdAllowUserChange: FALSE
> >
> > The only problem is that a Windows client reports a successful password
> > change even though the password was not changed because of the above
> > pwdPolicy.
>
> Was it not changed?  To OpenLDAP, the change from Samba doesn't look
> like a user change (because we set it using Samba's credentials).
According to man 5 slapo-ppolicy:
       Note that some of the policies do not take effect when the operation is
       performed with the rootdn identity; all the operations, when  performed
       with  any  other identity, may be subjected to constraints, like access
       control.

The pwdPolicy applies to my smb.conf ldap admin dn because it is not my
slapd.conf rootdn.

- I first remove the pwdPolicy from a user's account using my rootdn:

$ ldapmodify -D 'cn=ldapmgr,ou=managers,o=stars' -w ldappass
dn: uid=lacoste,ou=Users,ou=Accounts,o=stars
changetype: modify
delete: pwdPolicySubentry

modifying entry "uid=lacoste,ou=Users,ou=Accounts,o=stars"

- I confirm that my slapd.conf ACLs allow my ldap admin dn to
change a user's password:

$ ldapmodify -D 'cn=sambamgr,ou=managers,o=stars' -w sambapass
dn: uid=lacoste,ou=Users,ou=Accounts,o=stars
changetype: modify
userPassword: secret1

modifying entry "uid=lacoste,ou=Users,ou=Accounts,o=stars"

- I apply a pwdPolicy:

$ ldapsearch -LLL -b 'ou=Policies,o=stars' 'cn=frozen'
dn: cn=frozen,ou=Policies,o=stars
objectClass: pwdPolicy
objectClass: device
objectClass: top
cn: frozen
pwdAttribute: userPassword
pwdAllowUserChange: FALSE

$ ldapmodify -D 'cn=ldapmgr,ou=managers,o=stars' -w ldappass
dn: uid=lacoste,ou=Users,ou=Accounts,o=stars
changetype: modify
add: pwdPolicySubentry
pwdPolicySubentry: cn=frozen,ou=Policies,o=stars

modifying entry "uid=lacoste,ou=Users,ou=Accounts,o=stars"

- Now my ldap admin dn cannot change the user's password:

$ ldapmodify -D 'cn=sambamgr,ou=managers,o=stars' -w sambapass
dn: uid=lacoste,ou=Users,ou=Accounts,o=stars
changetype: modify
userPassword: secret2

modifying entry "uid=lacoste,ou=Users,ou=Accounts,o=stars"
ldap_modify: Insufficient access (50)
        additional info: User alteration of password is not allowed

Regards,
Thierry.



More information about the samba mailing list