Re: [Samba] Revisiting Samba's interaction with LDAP's ppolicy overlay
Alexandre Biancalana wrote: On 10/2/08, Ryan Steele [EMAIL PROTECTED] wrote: Volker Lendecke wrote: On Mon, Sep 29, 2008 at 10:14:01AM -0400, Adam Tauno Williams wrote: This is, AFAIK, the only solution currently. We do the same thing. It stinks. As I said in the former mail thread: Patches are welcome. If you really want it done quickly, some companies on http://samba.org/samba/support also offer development services. Volker Unfortunately, I suspect that many of the folks who probably want this done are system administrators, not software developers. As a systems administrator, I do have the ability to write code, but all I really use in my day-to-day life is Perl and Bash, maybe dabbling in some Python or Ruby. As Samba is written primarily in C, I probably wouldn't write very good patches for it - I find that my proficiency lies in the languages I actually use now, not the ones I used during undergrad in college. And while I'd love just dump money in to the project (or have an employer do it), that's just not always a reality (especially not the amounts needed to fund development efforts). All that being said, I'd be curious to know where this lies in the current development pipeline (if at all). Again, I (and I believe the community) think this would be very beneficial to Samba as a use and marketing tool, and deserves some consideration. I'm happy to do what I can - testing, tracking down bugs (even if I can't submit working patches), and money when I have it. But mostly I rely on good developers to develop, so that I can focus on my role in the chain - testing it and implementing it in real-world situations, and promoting it by installing it in all applicable environments. However, it can't be overstated how much I appreciate the work that has been done up to this point on Samba - it's a fantastic piece of software. Keep up the good work! Do we have any paper explaining the work that have to be done ? Or early patches (proof of concept) that could be used as starting point for this ? I don't think there are either of those (officially). The thread I started back in April (which starts here: http://lists.samba.org/archive/samba/2008-April/139711.html) has all the technical details on exactly what happens currently, and suggestions about how it could be fixed. But, I can try and sum up the general idea of what's wrong (as best I can remember, forgive me if I'm a little off in some aspects - it's been several months since I've dealt with it), and how it could be fixed. Take the case where a Windows user has logged in to the Samba domain, and attempts to change their password by hitting ctrl+alt+delete. The user provides their old password, and the new password, and sends both to Samba. Samba then checks to see what it's passdb backend is, which in this case would be ldapsam:ldap://server, and as a result sends the old and new password to LDAP. If LDAP is using the ppolicy overlay, it checks to see if the new password meets all the criteria defined in the ppolicy. Take the ppolicy entry I described in that thread: 56 cn=Password Policy,ou=Policies,dc=example,dc=com cn: Password Policy pwdAttribute: userPassword pwdMaxAge: 3888000 pwdMinAge: 3468000 pwdMinLength: 6 pwdExpireWarning: 432000 pwdFailureCountInterval: 0 pwdMustChange: FALSE pwdAllowUserChange: TRUE pwdLockout: TRUE pwdCheckQuality: 1 pwdGraceAuthNLimit: 0 pwdInHistory: 6 pwdMaxFailure: 2 pwdLockoutDuration: 60 objectClass: device objectClass: pwdPolicy objectClass: pwdPolicyChecker objectClass: top pwdCheckModule: check_password.so pwdSafeModify: FALSE This is an entry that is visible to ANYBODY who queries LDAP. It uses the above attributes to check if the password is sufficient - e.g.: Is it long enough (pwdMinLength - minimum six characters)? Is it one of the last 6 passwords (pwdInHistory)? Is it strong enough (pwdCheckModule - it uses check_password.so to check the strength the check_password.so was a shared object created by compiling a small C program I wrote that checked to see if the password had at least 3 out of 4 of the following: one uppercase letter, one lowercase letter, a number, and a punctuation mark. The pwdCheckModule has to be of the form described here: http://linux.die.net/man/5/slapo-ppolicy) If the user provided a password that only had numbers in it, it would fail the pwdCheckModule check because it only met 1 of those 4 strength criteria, and LDAP returns 0x13 (NT_STATUS_PASSWORD_RESTRICTION) and the following message to Samba: [2008/04/08 05:35:26, 10] lib/smbldap.c:smbldap_extended_operation(1472) Extended operation failed with error: Constraint violation (Password fails quality checking policy) [2008/04/08 05:35:26, 0] passdb/pdb_ldap.c:ldapsam_modify_entry(1644) ldapsam_modify_entry: LDAP Password could not be changed for user tester: Constraint violation Password fails quality checking policy But, instead
Re: [Samba] Revisiting Samba's interaction with LDAP's ppolicy overlay
Volker Lendecke wrote: On Mon, Sep 29, 2008 at 10:14:01AM -0400, Adam Tauno Williams wrote: This is, AFAIK, the only solution currently. We do the same thing. It stinks. As I said in the former mail thread: Patches are welcome. If you really want it done quickly, some companies on http://samba.org/samba/support also offer development services. Volker Unfortunately, I suspect that many of the folks who probably want this done are system administrators, not software developers. As a systems administrator, I do have the ability to write code, but all I really use in my day-to-day life is Perl and Bash, maybe dabbling in some Python or Ruby. As Samba is written primarily in C, I probably wouldn't write very good patches for it - I find that my proficiency lies in the languages I actually use now, not the ones I used during undergrad in college. And while I'd love just dump money in to the project (or have an employer do it), that's just not always a reality (especially not the amounts needed to fund development efforts). All that being said, I'd be curious to know where this lies in the current development pipeline (if at all). Again, I (and I believe the community) think this would be very beneficial to Samba as a use and marketing tool, and deserves some consideration. I'm happy to do what I can - testing, tracking down bugs (even if I can't submit working patches), and money when I have it. But mostly I rely on good developers to develop, so that I can focus on my role in the chain - testing it and implementing it in real-world situations, and promoting it by installing it in all applicable environments. However, it can't be overstated how much I appreciate the work that has been done up to this point on Samba - it's a fantastic piece of software. Keep up the good work! Respectfully, Ryan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Revisiting Samba's interaction with LDAP's ppolicy overlay
On 10/2/08, Ryan Steele [EMAIL PROTECTED] wrote: Volker Lendecke wrote: On Mon, Sep 29, 2008 at 10:14:01AM -0400, Adam Tauno Williams wrote: This is, AFAIK, the only solution currently. We do the same thing. It stinks. As I said in the former mail thread: Patches are welcome. If you really want it done quickly, some companies on http://samba.org/samba/support also offer development services. Volker Unfortunately, I suspect that many of the folks who probably want this done are system administrators, not software developers. As a systems administrator, I do have the ability to write code, but all I really use in my day-to-day life is Perl and Bash, maybe dabbling in some Python or Ruby. As Samba is written primarily in C, I probably wouldn't write very good patches for it - I find that my proficiency lies in the languages I actually use now, not the ones I used during undergrad in college. And while I'd love just dump money in to the project (or have an employer do it), that's just not always a reality (especially not the amounts needed to fund development efforts). All that being said, I'd be curious to know where this lies in the current development pipeline (if at all). Again, I (and I believe the community) think this would be very beneficial to Samba as a use and marketing tool, and deserves some consideration. I'm happy to do what I can - testing, tracking down bugs (even if I can't submit working patches), and money when I have it. But mostly I rely on good developers to develop, so that I can focus on my role in the chain - testing it and implementing it in real-world situations, and promoting it by installing it in all applicable environments. However, it can't be overstated how much I appreciate the work that has been done up to this point on Samba - it's a fantastic piece of software. Keep up the good work! Do we have any paper explaining the work that have to be done ? Or early patches (proof of concept) that could be used as starting point for this ? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Revisiting Samba's interaction with LDAP's ppolicy overlay
On Mon, Sep 29, 2008 at 10:14:01AM -0400, Adam Tauno Williams wrote: This is, AFAIK, the only solution currently. We do the same thing. It stinks. As I said in the former mail thread: Patches are welcome. If you really want it done quickly, some companies on http://samba.org/samba/support also offer development services. Volker pgpBYc6QWOEWF.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Revisiting Samba's interaction with LDAP's ppolicy overlay
Some months back, I entertained a conversation with Volker Lendecke, Adam Tauno Williams, and Simo Sorce about getting Samba to play nice with LDAP's ppolicy overlay. (Thread starts here: http://www.mail-archive.com/samba@lists.samba.org/msg92134.html and ends here: http://www.mail-archive.com/samba@lists.samba.org/msg92214.html) I was wondering if any progress had been made on this front that would make the job of maintaining PCI/DSS compliance for Samba PDC shops a bit more streamlined? My workaround was to implement the same security policy in Samba via pdbedit, so essentially the LDAP policies were duplicated in Samba. Another thread I was involved in back then (http://lists.samba.org/archive/samba/2008-April/139594.html) briefly describes this. But, again, this is far from the perfect situation of having one universal way to enforce password policies, and still has it's share of problems. This is, AFAIK, the only solution currently. We do the same thing. It stinks. -- Consonance: an Open Source .NET OpenGroupware client. Contact:[EMAIL PROTECTED] http://freshmeat.net/projects/consonance/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Revisiting Samba's interaction with LDAP's ppolicy overlay
Volker Lendecke wrote: On Fri, Sep 26, 2008 at 12:16:22PM -0400, Ryan Steele wrote: Some months back, I entertained a conversation with Volker Lendecke, Adam Tauno Williams, and Simo Sorce about getting Samba to play nice with LDAP's ppolicy overlay. (Thread starts here: http://www.mail-archive.com/samba@lists.samba.org/msg92134.html and ends here: http://www.mail-archive.com/samba@lists.samba.org/msg92214.html) I was wondering if any progress had been made on this front that would make the job of maintaining PCI/DSS compliance for Samba PDC shops a bit more streamlined? Certainly, there have to be more than a few folks out there who would see this as a huge leap for Samba, and give it more of an edge in the market? At least I'm not aware of anything that has been done. Sorry, Volker Well, given that nothing has been done, what are other folks doing to synchronize Samba password policies with LDAP password policies? I remember (and the aformentioned thread explains) the situation where a Windows client would attempt to change their password to something weak, and Samba would then ask LDAP if the password met the ppolicy restrictions. If it didn't, LDAP would return a message stating that the password policy was violated, but Samba would return a completely unrelated error message (even though it clearly got the ppolicy message from LDAP). My workaround was to implement the same security policy in Samba via pdbedit, so essentially the LDAP policies were duplicated in Samba. Another thread I was involved in back then (http://lists.samba.org/archive/samba/2008-April/139594.html) briefly describes this. But, again, this is far from the perfect situation of having one universal way to enforce password policies, and still has it's share of problems. I'd be interested to hear what others have done to circumvent or otherwise work around this type of problem. Respectfully, Ryan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Revisiting Samba's interaction with LDAP's ppolicy overlay
Hey folks, Some months back, I entertained a conversation with Volker Lendecke, Adam Tauno Williams, and Simo Sorce about getting Samba to play nice with LDAP's ppolicy overlay. (Thread starts here: http://www.mail-archive.com/samba@lists.samba.org/msg92134.html and ends here: http://www.mail-archive.com/samba@lists.samba.org/msg92214.html) I was wondering if any progress had been made on this front that would make the job of maintaining PCI/DSS compliance for Samba PDC shops a bit more streamlined? Certainly, there have to be more than a few folks out there who would see this as a huge leap for Samba, and give it more of an edge in the market? Respectfully, Ryan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Revisiting Samba's interaction with LDAP's ppolicy overlay
On Fri, Sep 26, 2008 at 12:16:22PM -0400, Ryan Steele wrote: Some months back, I entertained a conversation with Volker Lendecke, Adam Tauno Williams, and Simo Sorce about getting Samba to play nice with LDAP's ppolicy overlay. (Thread starts here: http://www.mail-archive.com/samba@lists.samba.org/msg92134.html and ends here: http://www.mail-archive.com/samba@lists.samba.org/msg92214.html) I was wondering if any progress had been made on this front that would make the job of maintaining PCI/DSS compliance for Samba PDC shops a bit more streamlined? Certainly, there have to be more than a few folks out there who would see this as a huge leap for Samba, and give it more of an edge in the market? At least I'm not aware of anything that has been done. Sorry, Volker pgp6oOlCZM9dG.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba