Re: Password expiration question (ppolicy and smbk5wpd interaction)

[Tony Earnshaw <tonni@hetnet.nl>]

Pat Riehecky skrev, on 07-01-2008 21:16:

> Like many before me I would love to get the smbk5pwd module up and
> running, but I have a question.
>
> In OpenLDAP 2.4.7:
> If I set a password expiration time up (with ppolicy), and the user's
> password expires, does it lock the Heimdal, Samba, and ldap passwords?
>
> On the flip side, if I set a password expiration time up (with
> smbk5pwd), and the user's password expires, does it lock the Heimdal,
> Samba, and ldap passwords?
>
> Or perhaps more to the point, what can I do to keep all three of these
> passwords either all valid or all expired at the same time?
>
> The documentation is a bit vague on this one point, and the archives
> left me still in confusion.....

My site's been running an enforced user password-change policy since mid 
December last. We have both Linux and Samba clients.

OL ppolicy as such will only work for Linux clients using pam_ldap, 
though password changes using smbk5pwd do change the sambaLMPassword and 
sambaNTPassword attributes in sync (that's what the smbk5pwd overlay is 
for). Samba 3.x itself has no support for OL ppolicy and Samba 
equivalents have to be configured parallel to it, using the Samba 
pdbedit utility. Only Samba reads the Samba-specific LDAP attributes.

Linux password criteria should be enforced using pam's pam_cracklib 
component (this is particularly important if the site's using chaining 
of referrals). NT password strength can be ensured compiling and using 
using the crackcheck program included with the source.

Updating KerberosV tickets is a completely different kettle of fish and 
has nothing to do with ppolicy.

--Tonni

--
Tony Earnshaw
Email: tonni at hetnet dot nl