On 06/26/2012 11:39 AM, Dmitri Pal wrote:
On 06/26/2012 01:28 PM, Rich Megginson wrote:
On 06/26/2012 11:13 AM, Dmitri Pal wrote:
On 06/26/2012 11:11 AM, Loris Santamaria wrote:
El mar, 26-06-2012 a las 10:35 -0400, Dmitri Pal escribió:
On 06/25/2012 09:02 PM, Loris Santamaria wrote:
Hi,

while using freeIPA as a user database for a samba installation I found
a problem in the enforcement of password policies. FreeIPA password
policies are more detailed than samba's, in freeIPA one may enforce
password history and the number of character classes in a password, but
normally samba connects to freeIPA with the "Directory Manager" so those
policies are not enforced.

Reading the source of ipa_pwd_extop I see there are three possibilities
when changing passwords:

       * Password change by the user, with full enforcement of policies
       * Password change by an admin, with no enforcement of policies and
         the new password is set as expired so the user has to change it
         on next logon
       * Password change by Directory Manager, with no enforcement of
         policies and the password is not set as expired.

None of the aforementioned possibilities are ideal for samba, samba
should connect to freeIPA with a user privileged enough to change
password for all users but with fully enforced policies.

What do you think about this? Would you consider adding such feature?
Would you accept patches?

Can you please explain why samba needs to connect to IPA and change
the passwords?
In what role you use samba? As a file server or as something else?
I am not sure I follow why you need the password change functionality.
There is a way to setup Samba FS with IPA without trying to make IPA a
back end for Samba.
I can try to dig some writeups on the matter if you are interested.
Samba 3 when used as a PDC/BDC can use a LDAP server as its user/group
database. To do that samba connects with a privileged user to the LDAP
directory and manages some attributes of users and groups in the
directory, adding the sambaSAMAccount objectclass and the sambaSID
attribute to users, groups and machines of the domain.

When users of Windows workstations in a samba domain change their
passwords samba updates the sambaNTPassword, userPassword,
sambaLastPwdChange, sambaPwdMustChange attributes of the corresponding
ldap user.

Using freeIPA as ldap user backend for samba works quite well, except
for the password policy problem mentioned in last mail and that it is
hard to mantain in sync the enabled/disabled status of an account.

What is the value of using FreeIPA as a Samba back end in comparison to other variants?
Why IPA is more interesting than say 389-DS or OpenLDAP or native Samba?

IPA will keep all of your passwords in sync - userPassword, sambaNTPassword, sambaLMPassword, and your kerberos passwords. 389 cannot do this - the functionality that does this is provided by an IPA password plugin. Openldap has a similar plugin, but I think it is "contrib" and not "officially supported".



I know that Endi did the work to make 389 be a viable back end for Samba and it passed all the Samba torture tests so I am not sure I agree with you.

Was that for samba4 or samba3?

Samba does the kerberos operations itself and uses LDAP as a storage only.

Samba4 or samba3?

This is why I am struggling to understand the use case. It seems that Loris has a different configuration that I do not quite understand, thus questions.

What other features of IPA are used in such setup?

Answering these (and may be other) questions would help us to understand how common is the use case that you brought up.


_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


--
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/




_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel



--
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to