> >> I say this because clients joined to the domain (run by a Samba PDC with > >> an OpenLDAP backend) can change their passwords and it updates the NT/LM > >> passwords in LDAP, thus verifying the functionality of smk5pwd, but it > >> does not appear to enforce ppolicy restrictions. On the flip side of > >> the coin, the user can change their LDAP password by invoking ldappasswd > >> from a shell on the server, and are bound by the restrictions set forth > >> by ppolicy (password length, strength, historical passwords, etc.). > > The ppolicy overlay is adding extra functionality to the password > > extended operation. ldappasswd uses this. The restriction is not > > present if you update the password hash via the ldapmodify command. The > > key is in the extended operation. As an added tidbit only userPassword > > is monitored not any other attribute. > > Samba does password changes via an ldapmodify rather than an ldappasswd > > (unless you have ldap passwd sync = Only which I have never personally > > used so I have no tests to back this up). This would explain why LDAP > > has the policy enforcing and Samba does not. > My 'passwd program' in my smb.conf is "passwd program = > /usr/bin/ldappasswd -x -W -S -D uid=%u,ou=Users,dc=example,dc=com" - so > it should be using ldappasswd, which is bound by ppolicy, correct?
You shouldn't need a "passwd program" when using an LDAP SAM. > I've tried 'ldap passwd sync = only', after my failures with 'ldap > passwd sync = yes' lead me back to the documentation, however this > yielded no success. I'm pretty sure if you have "ldap passwd sync = yes" that your "passwd program" directive is irrelevant since this means Samba is doing an ldapmodify to set the NT, LM, and userPassword attributes - your passwd program isn't doing anything. If "only" doesn't work then I strongly suspect that your smk5pwd module is *not* working, otherwise "only" would be the only mode to make any sense. By setting "ldap passwd sync = yes" your, at best, doing the work of smbk5pwd twice. -- Adam Tauno Williams, Network & Systems Administrator Consultant - http://www.whitemiceconsulting.com Developer - http://www.opengroupware.org
