[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: smbk5pwd and ppolicy working together

To: Howard Chu <hyc@symas.com>
Subject: Re: smbk5pwd and ppolicy working together
From: Ryan Steele <rsteele@archer-group.com>
Date: Thu, 03 Apr 2008 11:59:42 -0400
Cc: openldap-software <openldap-software@openldap.org>, adamtaunowilliams@gmail.com
In-reply-to: <47F491D0.8090001@symas.com>
References: <47F27B2A.5060607@archer-group.com> <47F28040.90304@tranquil-it-systems.fr> <47F28816.3010504@archer-group.com> <47F29112.3040909@archer-group.com> <1207085230.24284.44.camel@localhost> <47F2AB5A.2020401@archer-group.com> <1207145959.7936.13.camel@WM_ADAM1.morrison.iserv.net> <47F3BA17.3090205@archer-group.com> <47F491D0.8090001@symas.com>
User-agent: Thunderbird 2.0.0.12 (Windows/20080213)

Hey Howard, Adam, and List:

I'm not even sure this is the path I ought to be going down.  If
smbk5pwd has no knowledge of ppolicy, and password changes from Windows
clients won't adhere to those restrictions with any combination of
configuration options in any currently known universe, perhaps what I
really need is an alternate strategy.  I'm open to suggestion; my only
requirements are that password changes from a Windows workstation be
subjected to the ppolicy constraints, and that the LDAP and Samba
passwords all be in sync.

However, here are the logs entries and relevant slapd configuration
options - pastings inline below:

Howard Chu wrote:
> Ryan Steele wrote:
>> I realize that 'only' is what I want and that's what I'm using, however
>> I think smbk5pwd is working.  The two snippets below are show the
>> differences after a Windows user changes his password (from the
>> ctrl+alt+delete menu):
>
> Don't guess. Turn up the slapd debug level and show what it logs when
> you perform the actual password change.
>
Note that although the logs seem to indicate (at least to my untrained
eyes) that access to userPassword, sambaLMPassword, and sambaNTPassword
is denied, Windows tells me it's been updated, and I can in fact log out
and log back in with the new password.

Apr  3 07:27:00 ldapmaster slapd[1012]: => access_allowed: read access
to "uid=tester,ou=Users,dc=example,dc=com" "userPassword" requested
Apr  3 07:27:00 ldapmaster slapd[1012]: => acl_get: [1] attr userPassword
Apr  3 07:27:00 ldapmaster slapd[1012]: access_allowed: no res from
state (userPassword)
Apr  3 07:27:00 ldapmaster slapd[1012]: => acl_mask: access to entry
"uid=tester,ou=Users,dc=example,dc=com", attr "userPassword" requested
Apr  3 07:27:00 ldapmaster slapd[1012]: => acl_mask: to value by "", (=0)
Apr  3 07:27:00 ldapmaster slapd[1012]: <= check a_dn_pat: self
Apr  3 07:27:00 ldapmaster slapd[1012]: <= check a_dn_pat: *
Apr  3 07:27:00 ldapmaster slapd[1012]: <= acl_mask: [2] applying
auth(=xd) (stop)
Apr  3 07:27:00 ldapmaster slapd[1012]: <= acl_mask: [2] mask: auth(=xd)
Apr  3 07:27:00 ldapmaster slapd[1012]: => access_allowed: read access
denied by auth(=xd)
Apr  3 07:27:00 ldapmaster slapd[1012]: send_search_entry: conn 5 access
to attribute userPassword, value #0 not allowed

Apr  3 07:27:00 ldapmaster slapd[1012]: => access_allowed: read access
to "uid=tester,ou=Users,dc=example,dc=com" "sambaLMPassword" requested
Apr  3 07:27:00 ldapmaster slapd[1012]: => acl_get: [1] attr sambaLMPassword
Apr  3 07:27:00 ldapmaster slapd[1012]: access_allowed: no res from
state (sambaLMPassword)
Apr  3 07:27:00 ldapmaster slapd[1012]: => acl_mask: access to entry
"uid=tester,ou=Users,dc=example,dc=com", attr "sambaLMPassword" requested
Apr  3 07:27:00 ldapmaster slapd[1012]: => acl_mask: to value by "", (=0)
Apr  3 07:27:00 ldapmaster slapd[1012]: <= check a_dn_pat: self
Apr  3 07:27:00 ldapmaster slapd[1012]: <= check a_dn_pat: *
Apr  3 07:27:00 ldapmaster slapd[1012]: <= acl_mask: [2] applying
auth(=xd) (stop)
Apr  3 07:27:00 ldapmaster slapd[1012]: <= acl_mask: [2] mask: auth(=xd)
Apr  3 07:27:00 ldapmaster slapd[1012]: => access_allowed: read access
denied by auth(=xd)
Apr  3 07:27:00 ldapmaster slapd[1012]: send_search_entry: conn 5 access
to attribute sambaLMPassword, value #0 not allowed

Apr  3 07:27:00 ldapmaster slapd[1012]: => access_allowed: read access
to "uid=tester,ou=Users,dc=example,dc=com" "sambaNTPassword" requested
Apr  3 07:27:00 ldapmaster slapd[1012]: => acl_get: [1] attr sambaNTPassword
Apr  3 07:27:00 ldapmaster slapd[1012]: access_allowed: no res from
state (sambaNTPassword)
Apr  3 07:27:00 ldapmaster slapd[1012]: => acl_mask: access to entry
"uid=tester,ou=Users,dc=example,dc=com", attr "sambaNTPassword" requested
Apr  3 07:27:00 ldapmaster slapd[1012]: => acl_mask: to value by "", (=0)
Apr  3 07:27:00 ldapmaster slapd[1012]: <= check a_dn_pat: self
Apr  3 07:27:00 ldapmaster slapd[1012]: <= check a_dn_pat: *
Apr  3 07:27:00 ldapmaster slapd[1012]: <= acl_mask: [2] applying
auth(=xd) (stop)
Apr  3 07:27:00 ldapmaster slapd[1012]: <= acl_mask: [2] mask: auth(=xd)
Apr  3 07:27:00 ldapmaster slapd[1012]: => access_allowed: read access
denied by auth(=xd)
Apr  3 07:27:00 ldapmaster slapd[1012]: send_search_entry: conn 5 access
to attribute sambaNTPassword, value #0 not allowed


The only other references I found to these attributes in the logs (which
are at loglevel 128) are:

Apr  3 07:27:00 ldapmaster slapd[1012]: <= root access granted
Apr  3 07:27:00 ldapmaster slapd[1012]: => access_allowed: read access
to "uid=tester,ou=Users,dc=example,dc=com" "sambaLMPassword" requested
Apr  3 07:27:00 ldapmaster slapd[1012]: <= root access granted
Apr  3 07:27:00 ldapmaster slapd[1012]: => access_allowed: read access
to "uid=tester,ou=Users,dc=example,dc=com" "sambaNTPassword" requested


> Also, don't make us guess - post the relevant portion of your slapd
> configuration.
>
include         /etc/openldap/schema/ppolicy.schema

# Dynamic modules
moduleload      smbk5pwd.la

rootdn          "cn=admin,dc=example,dc=com"
rootpw          {SSHA}tFEA391Y3ZLHXkQDDk6f0t1ZkJEuMwIj

# Overlays - ppolicy for enforcing password restrictions and smbk5pwd
for syncing LDAP and Samba passwords
overlay smbk5pwd
overlay ppolicy
ppolicy_default "cn=Password Policy,ou=Policies,dc=example,dc=com"
ppolicy_use_lockout

# ACL's
access to
attrs=userPassword,sambaNTPassword,sambaLMPassword,shadowLastChange,shadowMax,sambaPwdLastSet,sambaPwdMustChange
   by   self    write
   by   *       auth

access to *
   by   *       read


The relevant output from slapcat is below.

>> sambaPwdCanChange: 1207134133
>> sambaPwdMustChange: 2147483647
>> userPassword:: e1NTSEF9UkxaOUdIZnVhNkV2ejBzS0JKNVVWQ2pVOHNnR29Ma1Q=
>> sambaPwdLastSet: 1207134133
>> sambaLMPassword: d85774cf671a9947aad3b435b51404ee
>> sambaNTPassword: baac3929fabc9e6dcd32421ba94a84d4
>> pwdChangedTime: 20080402110213Z
>> entryCSN: 20080402110213Z#000001#00#000000
>> modifiersName: cn=admin,dc=example,dc=com
>> modifyTimestamp: 20080402110213Z
>>
>>
>> sambaPwdMustChange: 2147483647
>> sambaPwdCanChange: 1207137250
>> userPassword:: e1NTSEF9NWMveHkxSkVtZDcvcnZuWFZ4a3dtMVJsUnAzUGdEQW4=
>> sambaPwdLastSet: 1207137250
>> sambaLMPassword: 614a6376feed376daad3b435b51404ee
>> sambaNTPassword: d01b4a346f59e594f299a41a48126188
>> pwdChangedTime: 20080402115410Z
>> entryCSN: 20080402115410Z#000001#00#000000
>> modifiersName: cn=admin,dc=example,dc=com
>> modifyTimestamp: 20080402115410Z
>
>

Follow-Ups:
- Re: smbk5pwd and ppolicy working together
  - From: Howard Chu <hyc@symas.com>
- Re: smbk5pwd and ppolicy working together
  - From: Adam Tauno Williams <adamtaunowilliams@gmail.com>
- Re: smbk5pwd and ppolicy working together
  - From: Thierry Lacoste <lacoste@miage.univ-paris12.fr>

References:
- smbk5pwd and ppolicy working together
  - From: Ryan Steele <rsteele@archer-group.com>
- Re: smbk5pwd and ppolicy working together
  - From: Pat Riehecky <prieheck@iwu.edu>
- Re: smbk5pwd and ppolicy working together
  - From: Ryan Steele <rsteele@archer-group.com>
- Re: smbk5pwd and ppolicy working together
  - From: Adam Tauno Williams <adamtaunowilliams@gmail.com>
- Re: smbk5pwd and ppolicy working together
  - From: Ryan Steele <rsteele@archer-group.com>
- Re: smbk5pwd and ppolicy working together
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: smbk5pwd and ppolicy working together
Next by Date: Re: smbk5pwd and ppolicy working together
Index(es):
- Chronological
- Thread