On 06/26/2012 01:28 PM, Rich Megginson wrote:
> On 06/26/2012 11:13 AM, Dmitri Pal wrote:
>> On 06/26/2012 11:11 AM, Loris Santamaria wrote:
>>> El mar, 26-06-2012 a las 10:35 -0400, Dmitri Pal escribió:
>>>> On 06/25/2012 09:02 PM, Loris Santamaria wrote:
>>>>> while using freeIPA as a user database for a samba installation I found
>>>>> a problem in the enforcement of password policies. FreeIPA password
>>>>> policies are more detailed than samba's, in freeIPA one may enforce
>>>>> password history and the number of character classes in a password, but
>>>>> normally samba connects to freeIPA with the "Directory Manager" so those
>>>>> policies are not enforced.
>>>>> Reading the source of ipa_pwd_extop I see there are three possibilities
>>>>> when changing passwords:
>>>>> * Password change by the user, with full enforcement of policies
>>>>> * Password change by an admin, with no enforcement of policies and
>>>>> the new password is set as expired so the user has to change it
>>>>> on next logon
>>>>> * Password change by Directory Manager, with no enforcement of
>>>>> policies and the password is not set as expired.
>>>>> None of the aforementioned possibilities are ideal for samba, samba
>>>>> should connect to freeIPA with a user privileged enough to change
>>>>> password for all users but with fully enforced policies.
>>>>> What do you think about this? Would you consider adding such feature?
>>>>> Would you accept patches?
>>>> Can you please explain why samba needs to connect to IPA and change
>>>> the passwords?
>>>> In what role you use samba? As a file server or as something else?
>>>> I am not sure I follow why you need the password change functionality.
>>>> There is a way to setup Samba FS with IPA without trying to make IPA a
>>>> back end for Samba.
>>>> I can try to dig some writeups on the matter if you are interested.
>>> Samba 3 when used as a PDC/BDC can use a LDAP server as its user/group
>>> database. To do that samba connects with a privileged user to the LDAP
>>> directory and manages some attributes of users and groups in the
>>> directory, adding the sambaSAMAccount objectclass and the sambaSID
>>> attribute to users, groups and machines of the domain.
>>> When users of Windows workstations in a samba domain change their
>>> passwords samba updates the sambaNTPassword, userPassword,
>>> sambaLastPwdChange, sambaPwdMustChange attributes of the corresponding
>>> ldap user.
>>> Using freeIPA as ldap user backend for samba works quite well, except
>>> for the password policy problem mentioned in last mail and that it is
>>> hard to mantain in sync the enabled/disabled status of an account.
>> What is the value of using FreeIPA as a Samba back end in comparison
>> to other variants?
>> Why IPA is more interesting than say 389-DS or OpenLDAP or native Samba?
> IPA will keep all of your passwords in sync - userPassword,
> sambaNTPassword, sambaLMPassword, and your kerberos passwords. 389
> cannot do this - the functionality that does this is provided by an
> IPA password plugin. Openldap has a similar plugin, but I think it is
> "contrib" and not "officially supported".
I know that Endi did the work to make 389 be a viable back end for Samba
and it passed all the Samba torture tests so I am not sure I agree with
you. Samba does the kerberos operations itself and uses LDAP as a
storage only. This is why I am struggling to understand the use case. It
seems that Loris has a different configuration that I do not quite
understand, thus questions.
>> What other features of IPA are used in such setup?
>> Answering these (and may be other) questions would help us to
>> understand how common is the use case that you brought up.
>>> Freeipa-devel mailing list
>> Thank you,
>> Dmitri Pal
>> Sr. Engineering Manager IPA project,
>> Red Hat Inc.
>> Looking to carve out IT costs?
>> Freeipa-devel mailing list
Sr. Engineering Manager IPA project,
Red Hat Inc.
Looking to carve out IT costs?
Freeipa-devel mailing list