Roel van Meer
2014-Sep-29 14:20 UTC
[Samba] How to prevent users from changing their password?
Hi list, With Samba 4 in AD mode, how can I prevent users from changing their password? I have a working samba 4 AD. I can, with the ADUC, set the "User cannot change password" flag in the account options. However, I would like to be able to do so without using the ADUC. The other account options can be managed directly in LDAP, by setting the USERACCOUNTCONTROL attribute mostly. However, according to http://support.microsoft.com/kb/305144, this is not possible for the "User cannot change password" flag. So, is there a way to do this from linux? If not, does anyone know about an Samba 4 user manager tool that can do this, that I could look at? I know that http://msdn.microsoft.com/en-us/library/aa746398.aspx has some code examples, but I don't want to reinvent any wheels. Thanks, Roel
Matthieu Patou
2014-Sep-29 23:58 UTC
[Samba] How to prevent users from changing their password?
On 09/29/2014 07:20 AM, Roel van Meer wrote:> Hi list, > > With Samba 4 in AD mode, how can I prevent users from changing their > password? > > I have a working samba 4 AD. I can, with the ADUC, set the "User > cannot change password" flag in the account options. However, I would > like to be able to do so without using the ADUC. > > The other account options can be managed directly in LDAP, by setting > the USERACCOUNTCONTROL attribute mostly.> However, according to http://support.microsoft.com/kb/305144, this is > not possible for the "User cannot change password" flag.This is possible but you need to do it with an admin, as for the value itself, I would recommend doing ldbsearch on a user before setting the value and then after (using aduc) to see which fields you have to change and to which value. Once you know the value scripting this should be fairly easy, you can modify samba-tool to do it for you. Matthieu. -- Matthieu Patou Samba Team http://samba.org