On Monday 13 August 2007 03:11, Andrew Bartlett wrote:
On Thu, 2007-08-09 at 00:56 +0200, Thierry Lacoste wrote:
On Wednesday 08 August 2007 20:17, Matt Anderson wrote:
Dear Help,
I'm currently running Samba with an LDAP passdb backend. I'm trying to
figure out how to NOT allow a particular user to change their password
(through Windows, or any interface). I've tried modifying the values
for sambaPwdCanChange and sambaPwdMustChange for a particular user, but
it seems like it only effects making them change their password,
instead of whether or not they're ALLOWED to.
With OpenLDAP one can use
ldap passwd sync = only
in smb.conf and let the smbk5pwd overlay synchronize the LM and NT
passwords.
If you add the ppolicy overlay you have a clean way to prevent password
changes for some acounts (through Windows, or any interface).
For instance one can use a pwdPolicy with pwdAllowUserChange: FALSE
The only problem is that a Windows client reports a successful password
change even though the password was not changed because of the above
pwdPolicy.
Was it not changed? To OpenLDAP, the change from Samba doesn't look
like a user change (because we set it using Samba's credentials).
According to man 5 slapo-ppolicy:
Note that some of the policies do not take effect when the operation is
performed with the rootdn identity; all the operations, when performed
with any other identity, may be subjected to constraints, like access
control.
The pwdPolicy applies to my smb.conf ldap admin dn because it is not my
slapd.conf rootdn.
- I first remove the pwdPolicy from a user's account using my rootdn:
$ ldapmodify -D 'cn=ldapmgr,ou=managers,o=stars' -w ldappass
dn: uid=lacoste,ou=Users,ou=Accounts,o=stars
changetype: modify
delete: pwdPolicySubentry
modifying entry uid=lacoste,ou=Users,ou=Accounts,o=stars
- I confirm that my slapd.conf ACLs allow my ldap admin dn to
change a user's password:
$ ldapmodify -D 'cn=sambamgr,ou=managers,o=stars' -w sambapass
dn: uid=lacoste,ou=Users,ou=Accounts,o=stars
changetype: modify
userPassword: secret1
modifying entry uid=lacoste,ou=Users,ou=Accounts,o=stars
- I apply a pwdPolicy:
$ ldapsearch -LLL -b 'ou=Policies,o=stars' 'cn=frozen'
dn: cn=frozen,ou=Policies,o=stars
objectClass: pwdPolicy
objectClass: device
objectClass: top
cn: frozen
pwdAttribute: userPassword
pwdAllowUserChange: FALSE
$ ldapmodify -D 'cn=ldapmgr,ou=managers,o=stars' -w ldappass
dn: uid=lacoste,ou=Users,ou=Accounts,o=stars
changetype: modify
add: pwdPolicySubentry
pwdPolicySubentry: cn=frozen,ou=Policies,o=stars
modifying entry uid=lacoste,ou=Users,ou=Accounts,o=stars
- Now my ldap admin dn cannot change the user's password:
$ ldapmodify -D 'cn=sambamgr,ou=managers,o=stars' -w sambapass
dn: uid=lacoste,ou=Users,ou=Accounts,o=stars
changetype: modify
userPassword: secret2
modifying entry uid=lacoste,ou=Users,ou=Accounts,o=stars
ldap_modify: Insufficient access (50)
additional info: User alteration of password is not allowed
Regards,
Thierry.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
