When a user on one of our Windows clients hits ctrl-alt-delete to change his password, our Samba domain controller is notified and performs the password change.

Unfortunately, the group policy rule requiring password complexity is ignored. Further, we recently began implementing kerberos, and samba isn't set up to update the principals.

I feel that the simplest way to fix this would be to disable password changes from our Windows clients on the domain (users can use our web services to change passwords instead).

What's the simplest way to implement this? Hopefully in the smb.conf.

  • 13
  • 1
  • 3

3 Answers3


If you have a mechanism for updating the registry on the Windows Computers you can set the

DWORD value to 1 in:



This will disable the change password button, in the Windows Security Dialog box.

Richard Slater
  • 3,228
  • 2
  • 28
  • 42
  • Thanks. I'd pretty much convinced myself that this is impossible through samba (without totally disabling smbpasswd). I will give this a try for disabling it per-client. My other option seems to be, if I go the route of not disabling the password change function, is simply to set up smb.conf to call kadmin to change user passwords and continue to do an ldap sync as it does now. With the password program option, I can wrap a set of password rules around the kdmin call. This will involve rewriting our current password scripts that call smbpasswd and kpasswd to only call smbpasswd. – thras Jun 25 '09 at 20:26

Depending upon your configuration, enabling

pam password change = no

May do the trick.

  • 6,782
  • 4
  • 30
  • 62

You could try to modify the parameters passwd program and passwd hat in smb.conf, setting it to /bin/false or something. Not sure that this will help though.

  • 97,248
  • 13
  • 177
  • 225