[Date Prev][Date Next]
Re: Password expiration question (ppolicy and smbk5wpd interaction)
Pat Riehecky skrev, on 07-01-2008 21:16:
Like many before me I would love to get the smbk5pwd module up and
running, but I have a question.
In OpenLDAP 2.4.7:
If I set a password expiration time up (with ppolicy), and the user's
password expires, does it lock the Heimdal, Samba, and ldap passwords?
On the flip side, if I set a password expiration time up (with
smbk5pwd), and the user's password expires, does it lock the Heimdal,
Samba, and ldap passwords?
Or perhaps more to the point, what can I do to keep all three of these
passwords either all valid or all expired at the same time?
The documentation is a bit vague on this one point, and the archives
left me still in confusion.....
My site's been running an enforced user password-change policy since mid
December last. We have both Linux and Samba clients.
OL ppolicy as such will only work for Linux clients using pam_ldap,
though password changes using smbk5pwd do change the sambaLMPassword and
sambaNTPassword attributes in sync (that's what the smbk5pwd overlay is
for). Samba 3.x itself has no support for OL ppolicy and Samba
equivalents have to be configured parallel to it, using the Samba
pdbedit utility. Only Samba reads the Samba-specific LDAP attributes.
Linux password criteria should be enforced using pam's pam_cracklib
component (this is particularly important if the site's using chaining
of referrals). NT password strength can be ensured compiling and using
using the crackcheck program included with the source.
Updating KerberosV tickets is a completely different kettle of fish and
has nothing to do with ppolicy.
Email: tonni at hetnet dot nl