[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: smbk5pwd and ppolicy working together

> >> I say this because clients joined to the domain (run by a Samba PDC with
> >> an OpenLDAP backend) can change their passwords and it updates the NT/LM
> >> passwords in LDAP, thus verifying the functionality of smk5pwd, but it
> >> does not appear to enforce ppolicy restrictions.  On the flip side of
> >> the coin, the user can change their LDAP password by invoking ldappasswd
> >> from a shell on the server, and are bound by the restrictions set forth
> >> by ppolicy (password length, strength, historical passwords, etc.).
> > The ppolicy overlay is adding extra functionality to the password
> > extended operation.  ldappasswd uses this.  The restriction is not
> > present if you update the password hash via the ldapmodify command.  The
> > key is in the extended operation.  As an added tidbit only userPassword
> > is monitored not any other attribute.
> > Samba does password changes via an ldapmodify rather than an ldappasswd
> > (unless you have ldap passwd sync = Only which I have never personally
> > used so I have no tests to back this up).  This would explain why LDAP
> > has the policy enforcing and Samba does not.
> My 'passwd program' in my smb.conf is "passwd program =
> /usr/bin/ldappasswd -x -W -S -D uid=%u,ou=Users,dc=example,dc=com" - so
> it should be using ldappasswd, which is bound by ppolicy, correct?

You shouldn't need a "passwd program" when using an LDAP SAM.

> I've tried 'ldap passwd sync = only', after my failures with 'ldap
> passwd sync = yes' lead me back to the documentation, however this
> yielded no success.

I'm pretty sure if you have "ldap passwd sync = yes" that your "passwd
program" directive is irrelevant since this means Samba is doing an
ldapmodify to set the NT, LM, and userPassword attributes - your passwd
program isn't doing anything.  If "only" doesn't work then I strongly
suspect that your smk5pwd module is *not* working, otherwise "only"
would be the only mode to make any sense.  By setting "ldap passwd sync
= yes" your, at best, doing the work of smbk5pwd twice.

Adam Tauno Williams, Network & Systems Administrator
Consultant - http://www.whitemiceconsulting.com
Developer - http://www.opengroupware.org