On 06/26/2012 01:28 PM, Rich Megginson wrote: > On 06/26/2012 11:13 AM, Dmitri Pal wrote: >> On 06/26/2012 11:11 AM, Loris Santamaria wrote: >>> El mar, 26-06-2012 a las 10:35 -0400, Dmitri Pal escribió: >>>> On 06/25/2012 09:02 PM, Loris Santamaria wrote: >>>>> Hi, >>>>> >>>>> while using freeIPA as a user database for a samba installation I found >>>>> a problem in the enforcement of password policies. FreeIPA password >>>>> policies are more detailed than samba's, in freeIPA one may enforce >>>>> password history and the number of character classes in a password, but >>>>> normally samba connects to freeIPA with the "Directory Manager" so those >>>>> policies are not enforced. >>>>> >>>>> Reading the source of ipa_pwd_extop I see there are three possibilities >>>>> when changing passwords: >>>>> >>>>> * Password change by the user, with full enforcement of policies >>>>> * Password change by an admin, with no enforcement of policies and >>>>> the new password is set as expired so the user has to change it >>>>> on next logon >>>>> * Password change by Directory Manager, with no enforcement of >>>>> policies and the password is not set as expired. >>>>> >>>>> None of the aforementioned possibilities are ideal for samba, samba >>>>> should connect to freeIPA with a user privileged enough to change >>>>> password for all users but with fully enforced policies. >>>>> >>>>> What do you think about this? Would you consider adding such feature? >>>>> Would you accept patches? >>>>> >>>> Can you please explain why samba needs to connect to IPA and change >>>> the passwords? >>>> In what role you use samba? As a file server or as something else? >>>> I am not sure I follow why you need the password change functionality. >>>> There is a way to setup Samba FS with IPA without trying to make IPA a >>>> back end for Samba. >>>> I can try to dig some writeups on the matter if you are interested. >>> Samba 3 when used as a PDC/BDC can use a LDAP server as its user/group >>> database. To do that samba connects with a privileged user to the LDAP >>> directory and manages some attributes of users and groups in the >>> directory, adding the sambaSAMAccount objectclass and the sambaSID >>> attribute to users, groups and machines of the domain. >>> >>> When users of Windows workstations in a samba domain change their >>> passwords samba updates the sambaNTPassword, userPassword, >>> sambaLastPwdChange, sambaPwdMustChange attributes of the corresponding >>> ldap user. >>> >>> Using freeIPA as ldap user backend for samba works quite well, except >>> for the password policy problem mentioned in last mail and that it is >>> hard to mantain in sync the enabled/disabled status of an account. >> >> What is the value of using FreeIPA as a Samba back end in comparison >> to other variants? >> Why IPA is more interesting than say 389-DS or OpenLDAP or native Samba? > > IPA will keep all of your passwords in sync - userPassword, > sambaNTPassword, sambaLMPassword, and your kerberos passwords. 389 > cannot do this - the functionality that does this is provided by an > IPA password plugin. Openldap has a similar plugin, but I think it is > "contrib" and not "officially supported". >
I know that Endi did the work to make 389 be a viable back end for Samba and it passed all the Samba torture tests so I am not sure I agree with you. Samba does the kerberos operations itself and uses LDAP as a storage only. This is why I am struggling to understand the use case. It seems that Loris has a different configuration that I do not quite understand, thus questions. >> What other features of IPA are used in such setup? >> >> Answering these (and may be other) questions would help us to >> understand how common is the use case that you brought up. >> >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> [email protected] >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager IPA project, >> Red Hat Inc. >> >> >> ------------------------------- >> Looking to carve out IT costs? >> www.redhat.com/carveoutcosts/ >> >> >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> [email protected] >> https://www.redhat.com/mailman/listinfo/freeipa-devel > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/
_______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
