Samba4 – detect password change

passwordsamba4

I want to detect when a user changes his password on the Samba4 DC.
As far as i know Samba4 stores the passwords in /var/lib/samba/private/secrets.tdb.
But when I change a password with smbpasswd the file does not change, the last change date is unchanged and the md5sum is the same.

So how can i detect if a password was changed?

Best Answer

Samba 4.x in domain controller mode stores the entire user account information in its built-in directory service database (not to be confused with a filesystem directory), very much like Windows DCs do.

The directory can be accessed with LDAP protocol, so you can use ldapsearch command to query account information, including pwdLastSet attribute. However be aware that this attribute may not be replicated between DCs, in this case you should query all of them separately.

Related Solutions

Ldap – Disabling Windows password changes on Samba domain

If you have a mechanism for updating the registry on the Windows Computers you can set the

DisableChangePassword

DWORD value to 1 in:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\
System

and

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\
System

This will disable the change password button, in the Windows Security Dialog box.

MySQL: Permit user to change his/her _own_ password

I don't think you need a special permission for doing that.
I just created a new user (GRANT USAGE only) and was able to change my password via:

SET PASSWORD = password('bla');

Best Answer

Related Solutions

Ldap – Disabling Windows password changes on Samba domain

MySQL: Permit user to change his/her _own_ password

Related Topic