Preventing users from changing their password with PAM

Blocking AD users from using passwd

I had to design a system recently for a client which has a mixture of local users and remote users that are authenticated using LDAP against Active Directory (actually, with Quest Authentication Services running in between). One of the requirements was that AD users should not be able to change their password using the passwd command as they had an external management system for users that fed into AD (and other things). I needed to allow normal users to operate normally but fail AD users with some polite message to tell them what was going on, rather than just a random error that would cause them to call support every time. Trolling the web didn’t seem to reveal much apart from doing nasty things to /bin/passwd like chattr’ing it, or moving it to /sbin… since we’re not in the 90’s anymore I was sure there was a way to do this with PAM.

My PAM knowledge is limited to say the least, and maybe my google-fu isn’t up to much because I struggled to find anything that did exactly what I wanted.

Eventually, after some tweaking, I came up with the following which seems to work on CentOS…

Edit /etc/pam.d/passwd and change it to read :-

This should work normally for root and local users but give a warning and fail to AD users.

Follow and share if you liked this

Related Post

Be the first to comment

Leave a Reply

Your email address will not be published.