[Samba] Enforcing Password Policies...

Author

Message

Matt Anderson
External

Since: Jun 04, 2007
Posts: 13

Posted: Wed Aug 08, 2007 8:20 pm Post subject: [Samba] Enforcing Password Policies... Archived from groups: linux>samba (more info?)

Dear Help, I'm currently running Samba with an LDAP passdb backend. I'm trying to figure out how to NOT allow a particular user to change their password (through Windows, or any interface). I've tried modifying the values for sambaPwdCanChange and sambaPwdMustChange for a particular user, but it seems like it only effects making them change their password, instead of whether or not they're ALLOWED to. Secondly, I've used pdbedit to edit the lockout policies when using a bad password ("lockout duration" = 30, "bad lockout attempt" = 5" and "reset count minutes" = 30). When I type in the wrong password 5 times for a user, it locks the account as it should. However, 30 minutes later (or more) it's still locked and the bad attempt count is not being reset. Is there something else I need to modify to make this functionality work? Any help would be most appreciated. Thank you! -Matt -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba

Thierry Lacoste
External

Since: Jun 06, 2007
Posts: 11

Posted: Wed Aug 08, 2007 8:50 pm Post subject: Re: [Samba] Enforcing Password Policies... [Login to view extended thread Info.] Archived from groups: per prev. post (more info?)

On Wednesday 08 August 2007 20:17, Matt Anderson wrote: > Dear Help, > > I'm currently running Samba with an LDAP passdb backend. I'm trying to > figure out how to NOT allow a particular user to change their password > (through Windows, or any interface). I've tried modifying the values for > sambaPwdCanChange and sambaPwdMustChange for a particular user, but it > seems like it only effects making them change their password, instead of > whether or not they're ALLOWED to. If you set sambaPwdCanChange in the future (e.g 1286597349 which corresponds to Saturday, October 9th 2010, 4:09:09 (GMT)) the user can not change its password until this date with windows. The problem is that he can still modify its LDAP password. You could add acls to your slapd.conf such that only your ldap admin dn has write acces to the userPassword attribute. In this case the only way to change the password is via samba. HTH, Thierry. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba

Matt Anderson
External

Since: Jun 04, 2007
Posts: 13

Posted: Wed Aug 08, 2007 10:30 pm Post subject: [Samba] Re: Enforcing Password Policies... [Login to view extended thread Info.] Archived from groups: per prev. post (more info?)

> The problem is that he can still modify its LDAP password. > You could add acls to your slapd.conf such that only your > ldap admin dn has write acces to the userPassword attribute. > In this case the only way to change the password is via samba. > > HTH, > Thierry. > Hi Thierry, Modifying SambaPwdCanChange did help... but for some reason I can't set the date to more than 30 (or so) years in the future--not that I need more than that, I just thought it was interesting. BTW- I'm using eDirectory as the backend, which seems to be blocking Windows users OK. So thanks for your help on that. Anyone with any thoughts one why the account lockout isn't clearing? Thanks! -Matt -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba

Thierry Lacoste
External

Since: Jun 06, 2007
Posts: 11

Posted: Thu Aug 09, 2007 1:00 am Post subject: [Samba] ppolicy overlay (WAS: Enforcing Password Policies...) [Login to view extended thread Info.] Archived from groups: per prev. post (more info?)

On Wednesday 08 August 2007 20:17, Matt Anderson wrote: > Dear Help, > > I'm currently running Samba with an LDAP passdb backend. I'm trying to > figure out how to NOT allow a particular user to change their password > (through Windows, or any interface). I've tried modifying the values for > sambaPwdCanChange and sambaPwdMustChange for a particular user, but it > seems like it only effects making them change their password, instead of > whether or not they're ALLOWED to. With OpenLDAP one can use ldap passwd sync = only in smb.conf and let the smbk5pwd overlay synchronize the LM and NT passwords. If you add the ppolicy overlay you have a clean way to prevent password changes for some acounts (through Windows, or any interface). For instance one can use a pwdPolicy with pwdAllowUserChange: FALSE The only problem is that a Windows client reports a successful password change even though the password was not changed because of the above pwdPolicy. Regards, Thierry. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba

Matt Anderson
External

Since: Jun 04, 2007
Posts: 13

Posted: Thu Aug 09, 2007 4:40 pm Post subject: [Samba] Re: ppolicy overlay (WAS: Enforcing Password Policies...) [Login to view extended thread Info.] Archived from groups: per prev. post (more info?)

> If you add the ppolicy overlay you have a clean way to prevent password > changes for some acounts (through Windows, or any interface). > For instance one can use a pwdPolicy with pwdAllowUserChange: FALSE Hi Thierry, I think I have the disallow change password issue figured out. I'm mostly concerned about changing through Windows... so I think everything you mentioned should work out. So thanks! However, I still can't figure out why accounts that are getting locked out due to bad password attempts aren't unlocking after the amount of time specified in the "lockout duration" policy in pdbedit. Has anyone heard of this before? Or is there anything at all I can check or try? Any help is most appreciated... because I'm starting to run out of ideas. Thanks! -Matt -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba

Display posts from previous: