On 06/25/2012 09:02 PM, Loris Santamaria wrote:
> while using freeIPA as a user database for a samba installation I found
> a problem in the enforcement of password policies. FreeIPA password
> policies are more detailed than samba's, in freeIPA one may enforce
> password history and the number of character classes in a password, but
> normally samba connects to freeIPA with the "Directory Manager" so those
> policies are not enforced.
> Reading the source of ipa_pwd_extop I see there are three possibilities
> when changing passwords:
> * Password change by the user, with full enforcement of policies
> * Password change by an admin, with no enforcement of policies and
> the new password is set as expired so the user has to change it
> on next logon
> * Password change by Directory Manager, with no enforcement of
> policies and the password is not set as expired.
> None of the aforementioned possibilities are ideal for samba, samba
> should connect to freeIPA with a user privileged enough to change
> password for all users but with fully enforced policies.
> What do you think about this? Would you consider adding such feature?
> Would you accept patches?
Can you please explain why samba needs to connect to IPA and change the
In what role you use samba? As a file server or as something else?
I am not sure I follow why you need the password change functionality.
There is a way to setup Samba FS with IPA without trying to make IPA a
back end for Samba.
I can try to dig some writeups on the matter if you are interested.
> Freeipa-devel mailing list
Sr. Engineering Manager IPA project,
Red Hat Inc.
Looking to carve out IT costs?
Freeipa-devel mailing list