[Samba] Password policy for user-managed passwords

Rowland Penny rpenny at samba.org
Mon Nov 1 16:46:24 UTC 2021


On Mon, 2021-11-01 at 12:34 -0400, Philippe LeCavalier via samba wrote:
> On Mon, Nov 1, 2021 at 10:30 AM Philippe LeCavalier <
> support at plecavalier.com>
> wrote:
> 
> > On Mon, Nov 1, 2021 at 10:10 AM mj via samba <samba at lists.samba.org
> > >
> > wrote:
> > 
> > > Perhaps your issue is described here:
> > > 
> > > > There are two possible ways to modify the unicodePwd attribute.
> > > > The
> > > > first is similar to a normal user change password operation. In
> > > > this
> > > > case, the modify request must contain both a delete and an add
> > > > operation. The delete operation must contain the current
> > > > password
> > > > with quotes around it. The add operation must contain the
> > > > desired new
> > > > password with quotes around it.
> > > > 
> > > > The second way to modify this attribute is analogous to an
> > > > administrator resetting a password for a user. In order to do
> > > > this,
> > > > the client must bind as a user with sufficient permissions to
> > > > modify
> > > > another user's password. This modify request should contain a
> > > > single
> > > > replace operation with the new desired password surrounded by
> > > > quotes.
> > > > If the client has sufficient permissions, this password becomes
> > > > the
> > > > new password, regardless of what the old password was.
> > > 
> > > Read more here:
> > > 
> > > https://docs.microsoft.com/en-us/troubleshoot/windows/win32/change-windows-active-directory-user-password
> > > 
> > > MJ
> > > 
> > If that were to be the case a newly created account would
> > experience the
> > same issue but it doesn't. New users can CTRL+ALT+DEL and change
> > their
> > passwords. I wonder if it might have to do with the particular user
> > having
> > the setexpiry to 0? I'll try setting it to 90 and see if she can
> > change it.
> > 
> Now that I think of it more, I may have the issue but I need help
> getting
> to the solution.
> 
> This user account was most likely created using the GUI (RSAT) and
> the
> 'user connect change password' bit set. Whenever possible I use
> samba-tool
> and have found that I haven't even touched RSAT for quite a while. If
> there
> is no way to revert that setting via CLI then I'll have to get back
> into
> RSAT. So my question now is, can I change that setting in samba-tool
> or
> some other CLI-based way?

You have to set/change an ACE to stop a user changing their password,
see here:

https://docs.microsoft.com/en-us/windows/win32/adsi/modifying-user-cannot-change-password-ldap-provider

Rowland





More information about the samba mailing list