On Thu, 2007-08-09 at 00:56 +0200, Thierry Lacoste wrote: > On Wednesday 08 August 2007 20:17, Matt Anderson wrote: > > Dear Help, > > > > I'm currently running Samba with an LDAP passdb backend. I'm trying to > > figure out how to NOT allow a particular user to change their password > > (through Windows, or any interface). I've tried modifying the values for > > sambaPwdCanChange and sambaPwdMustChange for a particular user, but it > > seems like it only effects making them change their password, instead of > > whether or not they're ALLOWED to. > With OpenLDAP one can use > ldap passwd sync = only > in smb.conf and let the smbk5pwd overlay synchronize the LM and NT passwords. > > If you add the ppolicy overlay you have a clean way to prevent password > changes for some acounts (through Windows, or any interface). > For instance one can use a pwdPolicy with pwdAllowUserChange: FALSE > > The only problem is that a Windows client reports a successful password > change even though the password was not changed because of the above > pwdPolicy.
Was it not changed? To OpenLDAP, the change from Samba doesn't look like a user change (because we set it using Samba's credentials). Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. http://redhat.com
signature.asc
Description: This is a digitally signed message part
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba