On a server running Debian Wheezy and Samba ver 3 with a tdb backend, how do I restrict a single user from changing the password? This account is one of 2 generic accounts, one for students and one for Teachers on Call (TOC). The users are created, but I'm not deploying the server yet. When looking through Google, I came across setting the maximum password age, but not setting the minumum password age (I'd be happy with a 5 year password...)
Asked
Active
Viewed 872 times
4
Canadian Luke
- 885
- 14
- 41
-
If they're generic accounts, do you need a password at all? Looks like you could use pdbedit to flag an account as 'no password required'. https://www.samba.org/samba/docs/man/manpages/pdbedit.8.html – jlehtinen Nov 08 '13 at 21:36
-
@jlehtinen That's one possible move, but all the other servers expect the two generic accounts to have a set password. You can definitely add that as an answer though, but I'd still wait to see if I can set the original option in my question – Canadian Luke Nov 08 '13 at 21:39
-
I guess I don't know your exact setup, but if the only thing the server is exposing is an SMB share, and users aren't logging directly into the server where the tbd instance is hosted, I really can't think how they would be able to even attempt a password change. Wouldn't they need to be able to telnet/ssh/login at console to edit the Samba config or change their pw? Not saying that's good security or anything - just speculating. – jlehtinen Nov 08 '13 at 21:46
-
It's a domain controller, so the users log in to the domain. The user can press ctrl alt delete to change their password – Canadian Luke Nov 08 '13 at 21:55
-
Does this help? http://serverfault.com/questions/31807/disabling-windows-password-changes-on-samba-domain – jlehtinen Nov 08 '13 at 22:18
-
@jlehtinen Unfortunately, that disables it for every user – Canadian Luke Nov 08 '13 at 22:21
1 Answers
1
Found the answer, talking with another IT fellow.
When adding (or updating) the user, change the system time and date to something far, far away, such as the year 2020. Then add the user / change the password, then change the date back
# date 121212122020.00
# pdbedit -a username
# smbpasswd username
# rdate -n -s time.server.url
The Password can change date is so far ahead that Windows isn't allowed to change it. This solves the problem!
One thing I did learn though about this is to do it after hours, as it seems to affect users' abilities to log in to the file server... I caught that before I did it though.
Canadian Luke
- 885
- 14
- 41
-
2That's a pretty nasty solution -- it relies on being able to muck about with your system's time (which may be fine for your environment, but if I did that our compliance auditor would nail my hide to his office door as a trophy!) I can't believe there's not a more elegant solution than that - it's depressing :-( – voretaq7 Nov 15 '13 at 08:01
-