Re: smbk5pwd and ppolicy working together

[Ryan Steele <rsteele@archer-group.com>]

Adam Tauno Williams wrote:
>>>> I say this because clients joined to the domain (run by a Samba PDC with
>>>> an OpenLDAP backend) can change their passwords and it updates the NT/LM
>>>> passwords in LDAP, thus verifying the functionality of smk5pwd, but it
>>>> does not appear to enforce ppolicy restrictions.  On the flip side of
>>>> the coin, the user can change their LDAP password by invoking ldappasswd
>>>> from a shell on the server, and are bound by the restrictions set forth
>>>> by ppolicy (password length, strength, historical passwords, etc.).
>>>>         
>>> The ppolicy overlay is adding extra functionality to the password
>>> extended operation.  ldappasswd uses this.  The restriction is not
>>> present if you update the password hash via the ldapmodify command.  The
>>> key is in the extended operation.  As an added tidbit only userPassword
>>> is monitored not any other attribute.
>>> Samba does password changes via an ldapmodify rather than an ldappasswd
>>> (unless you have ldap passwd sync = Only which I have never personally
>>> used so I have no tests to back this up).  This would explain why LDAP
>>> has the policy enforcing and Samba does not.
>>>       
>> My 'passwd program' in my smb.conf is "passwd program =
>> /usr/bin/ldappasswd -x -W -S -D uid=%u,ou=Users,dc=example,dc=com" - so
>> it should be using ldappasswd, which is bound by ppolicy, correct?
>>     
>
> You shouldn't need a "passwd program" when using an LDAP SAM.
>
>   

You're right.  In reading the Samba documentation, I see that's only for
updating Unix passwords, not LDAP passwords (though I suppose it's
relevant if PAM is using LDAP and you set 'unix passwd sync = yes';
however, this is not my situation).

>> I've tried 'ldap passwd sync = only', after my failures with 'ldap
>> passwd sync = yes' lead me back to the documentation, however this
>> yielded no success.
>>     
>
> I'm pretty sure if you have "ldap passwd sync = yes" that your "passwd
> program" directive is irrelevant since this means Samba is doing an
> ldapmodify to set the NT, LM, and userPassword attributes - your passwd
> program isn't doing anything.  If "only" doesn't work then I strongly
> suspect that your smk5pwd module is *not* working, otherwise "only"
> would be the only mode to make any sense.  By setting "ldap passwd sync
> = yes" your, at best, doing the work of smbk5pwd twice.
>
>   
I realize that 'only' is what I want and that's what I'm using, however
I think smbk5pwd is working.  The two snippets below are show the
differences after a Windows user changes his password (from the
ctrl+alt+delete menu):

sambaPwdCanChange: 1207134133
sambaPwdMustChange: 2147483647
userPassword:: e1NTSEF9UkxaOUdIZnVhNkV2ejBzS0JKNVVWQ2pVOHNnR29Ma1Q=
sambaPwdLastSet: 1207134133
sambaLMPassword: d85774cf671a9947aad3b435b51404ee
sambaNTPassword: baac3929fabc9e6dcd32421ba94a84d4
pwdChangedTime: 20080402110213Z
entryCSN: 20080402110213Z#000001#00#000000
modifiersName: cn=admin,dc=example,dc=com
modifyTimestamp: 20080402110213Z


sambaPwdMustChange: 2147483647
sambaPwdCanChange: 1207137250
userPassword:: e1NTSEF9NWMveHkxSkVtZDcvcnZuWFZ4a3dtMVJsUnAzUGdEQW4=
sambaPwdLastSet: 1207137250
sambaLMPassword: 614a6376feed376daad3b435b51404ee
sambaNTPassword: d01b4a346f59e594f299a41a48126188
pwdChangedTime: 20080402115410Z
entryCSN: 20080402115410Z#000001#00#000000
modifiersName: cn=admin,dc=example,dc=com
modifyTimestamp: 20080402115410Z


Unless my test or logic (or both) are fundamentally flawed, it seems
like the NT and LM passwords are being changed, along with the other
attributes listed above.  Interestingly enough, however, the
modifiersName is admin (who isn't bound by the ppolicy restrictions) -
perhaps that is what's causing the circumvention of ppolicy?  Should I
be investigating a way to force the modifier to be the user themselves?


Thanks as always for advice and constructive criticisms.

Ryan