Dear Help,
I'm currently running Samba with an LDAP passdb backend. I'm trying to
figure
out how to NOT allow a particular user to change their password (through
Windows, or any interface). I've tried modifying the values for
sambaPwdCanChange and sambaPwdMustChange for a particular user, but it seems
like it only effects making them change their password, instead of whether or
not they're ALLOWED to.
Secondly, I've used pdbedit to edit the lockout policies when using a bad
password ("lockout duration" = 30, "bad lockout attempt" =
5" and "reset count
minutes" = 30). When I type in the wrong password 5 times for a user, it
locks
the account as it should. However, 30 minutes later (or more) it's still
locked
and the bad attempt count is not being reset. Is there something else I need to
modify to make this functionality work?
Any help would be most appreciated. Thank you!
-Matt
On Wednesday 08 August 2007 20:17, Matt Anderson wrote:> Dear Help, > > I'm currently running Samba with an LDAP passdb backend. I'm trying to > figure out how to NOT allow a particular user to change their password > (through Windows, or any interface). I've tried modifying the values for > sambaPwdCanChange and sambaPwdMustChange for a particular user, but it > seems like it only effects making them change their password, instead of > whether or not they're ALLOWED to.If you set sambaPwdCanChange in the future (e.g 1286597349 which corresponds to Saturday, October 9th 2010, 4:09:09 (GMT)) the user can not change its password until this date with windows. The problem is that he can still modify its LDAP password. You could add acls to your slapd.conf such that only your ldap admin dn has write acces to the userPassword attribute. In this case the only way to change the password is via samba. HTH, Thierry.
Thierry Lacoste
2007-Aug-08 22:58 UTC
[Samba] ppolicy overlay (WAS: Enforcing Password Policies...)
On Wednesday 08 August 2007 20:17, Matt Anderson wrote:> Dear Help, > > I'm currently running Samba with an LDAP passdb backend. I'm trying to > figure out how to NOT allow a particular user to change their password > (through Windows, or any interface). I've tried modifying the values for > sambaPwdCanChange and sambaPwdMustChange for a particular user, but it > seems like it only effects making them change their password, instead of > whether or not they're ALLOWED to.With OpenLDAP one can use ldap passwd sync = only in smb.conf and let the smbk5pwd overlay synchronize the LM and NT passwords. If you add the ppolicy overlay you have a clean way to prevent password changes for some acounts (through Windows, or any interface). For instance one can use a pwdPolicy with pwdAllowUserChange: FALSE The only problem is that a Windows client reports a successful password change even though the password was not changed because of the above pwdPolicy. Regards, Thierry.