search for: ms680832

Hi i m looking for a command / script to set user "User cannot change password" attribute in Samba AD DC (currently 4.3.11-Ubuntu) like from aduc found https://groups.google.com/forum/#!topic/linux.samba/86cB1X8c-1c and https://lists.samba.org/archive/samba/2013-August/175185.html but no solution provided the UserAccountControl flag "PASSWD_CANT_CHANGE" can not be set via

...GE" can not be set via > > ldap > > No, it is not true. You have 'simply'' to OR 0x00010000 > userAccountControl attribute, eg: > > userAccountControl = userAccountControl || 0x00010000 > > look at: > > https://msdn.microsoft.com/en-us/library/ms680832 > You cannot stop the user from changing their password by setting userAccountControl, you need to deny them permission to their object in AD. Rowland

In my current ''production'' NT-like domain (samba 4.2, OpenLDAP backend), password policies seems to ''get written'' to user data. EG, if i set: pdbedit -P "maximum password age" -C 7776000 and i change my password, 'Password must change' have a meningful value, eg 90 days more then the last password change: root at armitage:~# pdbedit -v

...found 512 as a value: root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b 'DC=ad,DC=fvg,DC=lnf,DC=it' '(cn=gaio)' | grep '^userAccountControl:' | cut -d ' ' -f 2 512 so 0x200 (ADS_UF_NORMAL_ACCOUNT as stated by https://msdn.microsoft.com/en-us/library/ms680832(v=vs.85).aspx). If i disable it: root at vdcsv1:~# pdbedit --account-control="[D]" gaio [...] Account Flags: [DU ] [...] root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b 'DC=ad,DC=fvg,DC=lnf,DC=it' '(cn=gaio)' | grep '^userAccountCo...

...oot at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b > 'DC=ad,DC=fvg,DC=lnf,DC=it' '(cn=gaio)' | grep '^userAccountControl:' > | cut -d ' ' -f 2 512 > > so 0x200 (ADS_UF_NORMAL_ACCOUNT as stated by > https://msdn.microsoft.com/en-us/library/ms680832(v=vs.85).aspx). > > If i disable it: > root at vdcsv1:~# pdbedit --account-control="[D]" gaio > [...] > Account Flags: [DU ] > [...] > root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b > 'DC=ad,DC=fvg,DC=lnf,DC=it' '(...