[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: smbk5pwd and ppolicy working together

To: openldap-software <openldap-software@openldap.org>
Subject: Re: smbk5pwd and ppolicy working together
From: Adam Tauno Williams <adamtaunowilliams@gmail.com>
Date: Wed, 02 Apr 2008 10:19:19 -0400
In-reply-to: <47F2AB5A.2020401@archer-group.com>
References: <47F27B2A.5060607@archer-group.com> <47F28040.90304@tranquil-it-systems.fr> <47F28816.3010504@archer-group.com> <47F29112.3040909@archer-group.com> <1207085230.24284.44.camel@localhost> <47F2AB5A.2020401@archer-group.com>

> >> I say this because clients joined to the domain (run by a Samba PDC with
> >> an OpenLDAP backend) can change their passwords and it updates the NT/LM
> >> passwords in LDAP, thus verifying the functionality of smk5pwd, but it
> >> does not appear to enforce ppolicy restrictions.  On the flip side of
> >> the coin, the user can change their LDAP password by invoking ldappasswd
> >> from a shell on the server, and are bound by the restrictions set forth
> >> by ppolicy (password length, strength, historical passwords, etc.).
> > The ppolicy overlay is adding extra functionality to the password
> > extended operation.  ldappasswd uses this.  The restriction is not
> > present if you update the password hash via the ldapmodify command.  The
> > key is in the extended operation.  As an added tidbit only userPassword
> > is monitored not any other attribute.
> > Samba does password changes via an ldapmodify rather than an ldappasswd
> > (unless you have ldap passwd sync = Only which I have never personally
> > used so I have no tests to back this up).  This would explain why LDAP
> > has the policy enforcing and Samba does not.
> My 'passwd program' in my smb.conf is "passwd program =
> /usr/bin/ldappasswd -x -W -S -D uid=%u,ou=Users,dc=example,dc=com" - so
> it should be using ldappasswd, which is bound by ppolicy, correct?

You shouldn't need a "passwd program" when using an LDAP SAM.

> I've tried 'ldap passwd sync = only', after my failures with 'ldap
> passwd sync = yes' lead me back to the documentation, however this
> yielded no success.

I'm pretty sure if you have "ldap passwd sync = yes" that your "passwd
program" directive is irrelevant since this means Samba is doing an
ldapmodify to set the NT, LM, and userPassword attributes - your passwd
program isn't doing anything.  If "only" doesn't work then I strongly
suspect that your smk5pwd module is *not* working, otherwise "only"
would be the only mode to make any sense.  By setting "ldap passwd sync
= yes" your, at best, doing the work of smbk5pwd twice.

-- 
Adam Tauno Williams, Network & Systems Administrator
Consultant - http://www.whitemiceconsulting.com
Developer - http://www.opengroupware.org

Follow-Ups:
- Re: smbk5pwd and ppolicy working together
  - From: Ryan Steele <rsteele@archer-group.com>

References:
- smbk5pwd and ppolicy working together
  - From: Ryan Steele <rsteele@archer-group.com>
- Re: smbk5pwd and ppolicy working together
  - From: Pat Riehecky <prieheck@iwu.edu>
- Re: smbk5pwd and ppolicy working together
  - From: Ryan Steele <rsteele@archer-group.com>

Prev by Date: TLS trace: SSL_accept:error in SSLv2/v3 read client hello A
Next by Date: Re: ldapsearch: not compiled with TLS support
Index(es):
- Chronological
- Thread