On 06/25/2012 09:02 PM, Loris Santamaria wrote:
> Hi,
>
> while using freeIPA as a user database for a samba installation I found
> a problem in the enforcement of password policies. FreeIPA password
> policies are more detailed than samba's, in freeIPA one may enforce
> password history and the number of character classes in a password, but
> normally samba connects to freeIPA with the "Directory Manager" so those
> policies are not enforced.
>
> Reading the source of ipa_pwd_extop I see there are three possibilities
> when changing passwords:
>
>       * Password change by the user, with full enforcement of policies
>       * Password change by an admin, with no enforcement of policies and
>         the new password is set as expired so the user has to change it
>         on next logon
>       * Password change by Directory Manager, with no enforcement of
>         policies and the password is not set as expired.
>
> None of the aforementioned possibilities are ideal for samba, samba
> should connect to freeIPA with a user privileged enough to change
> password for all users but with fully enforced policies.
>
> What do you think about this? Would you consider adding such feature?
> Would you accept patches?
>

Can you please explain why samba needs to connect to IPA and change the
passwords?
In what role you use samba? As a file server or as something else?
I am not sure I follow why you need the password change functionality.
There is a way to setup Samba FS with IPA without trying to make IPA a
back end for Samba.
I can try to dig some writeups on the matter if you are interested.

>  
>
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to