Re: [Freeipa-devel] freeIPA as a samba backend

2012-07-03 Thread Alexander Bokovoy

On Tue, 03 Jul 2012, Dmitri Pal wrote:

On 06/26/2012 04:44 PM, Loris Santamaria wrote:

El mar, 26-06-2012 a las 13:39 -0400, Dmitri Pal escribió:

On 06/26/2012 01:28 PM, Rich Megginson wrote:

On 06/26/2012 11:13 AM, Dmitri Pal wrote:

On 06/26/2012 11:11 AM, Loris Santamaria wrote:

El mar, 26-06-2012 a las 10:35 -0400, Dmitri Pal escribió:

On 06/25/2012 09:02 PM, Loris Santamaria wrote:

Hi,

while using freeIPA as a user database for a samba installation I found
a problem in the enforcement of password policies. FreeIPA password
policies are more detailed than samba's, in freeIPA one may enforce
password history and the number of character classes in a password, but
normally samba connects to freeIPA with the "Directory Manager" so those
policies are not enforced.

Reading the source of ipa_pwd_extop I see there are three possibilities
when changing passwords:

  * Password change by the user, with full enforcement of policies
  * Password change by an admin, with no enforcement of policies and
the new password is set as expired so the user has to change it
on next logon
  * Password change by Directory Manager, with no enforcement of
policies and the password is not set as expired.

None of the aforementioned possibilities are ideal for samba, samba
should connect to freeIPA with a user privileged enough to change
password for all users but with fully enforced policies.

What do you think about this? Would you consider adding such feature?
Would you accept patches?


Can you please explain why samba needs to connect to IPA and change
the passwords?
In what role you use samba? As a file server or as something else?
I am not sure I follow why you need the password change functionality.
There is a way to setup Samba FS with IPA without trying to make IPA a
back end for Samba.
I can try to dig some writeups on the matter if you are interested.

Samba 3 when used as a PDC/BDC can use a LDAP server as its user/group
database. To do that samba connects with a privileged user to the LDAP
directory and manages some attributes of users and groups in the
directory, adding the sambaSAMAccount objectclass and the sambaSID
attribute to users, groups and machines of the domain.

When users of Windows workstations in a samba domain change their
passwords samba updates the sambaNTPassword, userPassword,
sambaLastPwdChange, sambaPwdMustChange attributes of the corresponding
ldap user.

Using freeIPA as ldap user backend for samba works quite well, except
for the password policy problem mentioned in last mail and that it is
hard to mantain in sync the enabled/disabled status of an account.

What is the value of using FreeIPA as a Samba back end in
comparison to other variants?
Why IPA is more interesting than say 389-DS or OpenLDAP or native
Samba?

IPA will keep all of your passwords in sync - userPassword,
sambaNTPassword, sambaLMPassword, and your kerberos passwords.  389
cannot do this - the functionality that does this is provided by an
IPA password plugin.  Openldap has a similar plugin, but I think it
is "contrib" and not "officially supported".



I know that Endi did the work to make 389 be a viable back end for
Samba and it passed all the Samba torture tests so I am not sure I
agree with you. Samba does the kerberos operations itself and uses
LDAP as a storage only. This is why I am struggling to understand the
use case. It seems that Loris has a different configuration that I do
not quite understand, thus questions.


What other features of IPA are used in such setup?

Answering these (and may be other) questions would help us to
understand how common is the use case that you brought up.

First of all, the use case is that of using Samba 3 as a Domain
Controller. Here in Venezuela the government itself promotes the use of
free software so most government agencies and industries won't install
Active Directory to administer windows desktops. There are some medium
to large deployments of Samba 3 as a domain controller here, and there
are a number of Linux desktops deployed in the same networks.

When you use Samba 3 as a Domain Controller with a largish number of
users and machines is mandatory to use a Ldap server as a backend, and
for that you have basically two choices which are of course OpenLdap and
389-DS, but those servers have to be combined with some administration
tools to be really useful.

The ideal choice for us is 389-DS with freeIPA as an administration
framework because of:

  * Really easy to use to administer users and groups. Those users
and groups are visible from the samba domain and from linux
machines in the IPA realm or from legacy unix and linux machines
configured as ldap clients
  * ipa_pwd_extop keeps ldap, samba and kerberos passwords in sync.
Well, this could be better
  * freeIPA sets up 389-ds very well, with sane indexes and
permissions. For good performance with samba you just have to
   

Re: [Freeipa-devel] freeIPA as a samba backend

2012-07-03 Thread Dmitri Pal
On 06/26/2012 04:44 PM, Loris Santamaria wrote:
> El mar, 26-06-2012 a las 13:39 -0400, Dmitri Pal escribió:
>> On 06/26/2012 01:28 PM, Rich Megginson wrote: 
>>> On 06/26/2012 11:13 AM, Dmitri Pal wrote: 
 On 06/26/2012 11:11 AM, Loris Santamaria wrote: 
> El mar, 26-06-2012 a las 10:35 -0400, Dmitri Pal escribió:
>> On 06/25/2012 09:02 PM, Loris Santamaria wrote: 
>>> Hi,
>>>
>>> while using freeIPA as a user database for a samba installation I found
>>> a problem in the enforcement of password policies. FreeIPA password
>>> policies are more detailed than samba's, in freeIPA one may enforce
>>> password history and the number of character classes in a password, but
>>> normally samba connects to freeIPA with the "Directory Manager" so those
>>> policies are not enforced.
>>>
>>> Reading the source of ipa_pwd_extop I see there are three possibilities
>>> when changing passwords:
>>>
>>>   * Password change by the user, with full enforcement of policies
>>>   * Password change by an admin, with no enforcement of policies and
>>> the new password is set as expired so the user has to change it
>>> on next logon
>>>   * Password change by Directory Manager, with no enforcement of
>>> policies and the password is not set as expired.
>>>
>>> None of the aforementioned possibilities are ideal for samba, samba
>>> should connect to freeIPA with a user privileged enough to change
>>> password for all users but with fully enforced policies.
>>>
>>> What do you think about this? Would you consider adding such feature?
>>> Would you accept patches?
>>>
>> Can you please explain why samba needs to connect to IPA and change
>> the passwords?
>> In what role you use samba? As a file server or as something else?
>> I am not sure I follow why you need the password change functionality.
>> There is a way to setup Samba FS with IPA without trying to make IPA a
>> back end for Samba.
>> I can try to dig some writeups on the matter if you are interested.
> Samba 3 when used as a PDC/BDC can use a LDAP server as its user/group
> database. To do that samba connects with a privileged user to the LDAP
> directory and manages some attributes of users and groups in the
> directory, adding the sambaSAMAccount objectclass and the sambaSID
> attribute to users, groups and machines of the domain.
>
> When users of Windows workstations in a samba domain change their
> passwords samba updates the sambaNTPassword, userPassword,
> sambaLastPwdChange, sambaPwdMustChange attributes of the corresponding
> ldap user.
>
> Using freeIPA as ldap user backend for samba works quite well, except
> for the password policy problem mentioned in last mail and that it is
> hard to mantain in sync the enabled/disabled status of an account. 
 What is the value of using FreeIPA as a Samba back end in
 comparison to other variants?
 Why IPA is more interesting than say 389-DS or OpenLDAP or native
 Samba?
>>> IPA will keep all of your passwords in sync - userPassword,
>>> sambaNTPassword, sambaLMPassword, and your kerberos passwords.  389
>>> cannot do this - the functionality that does this is provided by an
>>> IPA password plugin.  Openldap has a similar plugin, but I think it
>>> is "contrib" and not "officially supported".
>>>
>>
>> I know that Endi did the work to make 389 be a viable back end for
>> Samba and it passed all the Samba torture tests so I am not sure I
>> agree with you. Samba does the kerberos operations itself and uses
>> LDAP as a storage only. This is why I am struggling to understand the
>> use case. It seems that Loris has a different configuration that I do
>> not quite understand, thus questions.
>>
 What other features of IPA are used in such setup?

 Answering these (and may be other) questions would help us to
 understand how common is the use case that you brought up.
> First of all, the use case is that of using Samba 3 as a Domain
> Controller. Here in Venezuela the government itself promotes the use of
> free software so most government agencies and industries won't install
> Active Directory to administer windows desktops. There are some medium
> to large deployments of Samba 3 as a domain controller here, and there
> are a number of Linux desktops deployed in the same networks.
>
> When you use Samba 3 as a Domain Controller with a largish number of
> users and machines is mandatory to use a Ldap server as a backend, and
> for that you have basically two choices which are of course OpenLdap and
> 389-DS, but those servers have to be combined with some administration
> tools to be really useful.
>
> The ideal choice for us is 389-DS with freeIPA as an administration
> framework because of:
>
>   * Really easy to use to administer users and groups. Those u

Re: [Freeipa-devel] freeIPA as a samba backend

2012-06-26 Thread Loris Santamaria
El mar, 26-06-2012 a las 13:39 -0400, Dmitri Pal escribió:
> On 06/26/2012 01:28 PM, Rich Megginson wrote: 
> > On 06/26/2012 11:13 AM, Dmitri Pal wrote: 
> > > On 06/26/2012 11:11 AM, Loris Santamaria wrote: 
> > > > El mar, 26-06-2012 a las 10:35 -0400, Dmitri Pal escribió:
> > > > > On 06/25/2012 09:02 PM, Loris Santamaria wrote: 
> > > > > > Hi,
> > > > > > 
> > > > > > while using freeIPA as a user database for a samba installation I 
> > > > > > found
> > > > > > a problem in the enforcement of password policies. FreeIPA password
> > > > > > policies are more detailed than samba's, in freeIPA one may enforce
> > > > > > password history and the number of character classes in a password, 
> > > > > > but
> > > > > > normally samba connects to freeIPA with the "Directory Manager" so 
> > > > > > those
> > > > > > policies are not enforced.
> > > > > > 
> > > > > > Reading the source of ipa_pwd_extop I see there are three 
> > > > > > possibilities
> > > > > > when changing passwords:
> > > > > > 
> > > > > >   * Password change by the user, with full enforcement of 
> > > > > > policies
> > > > > >   * Password change by an admin, with no enforcement of 
> > > > > > policies and
> > > > > > the new password is set as expired so the user has to 
> > > > > > change it
> > > > > > on next logon
> > > > > >   * Password change by Directory Manager, with no enforcement of
> > > > > > policies and the password is not set as expired.
> > > > > > 
> > > > > > None of the aforementioned possibilities are ideal for samba, samba
> > > > > > should connect to freeIPA with a user privileged enough to change
> > > > > > password for all users but with fully enforced policies.
> > > > > > 
> > > > > > What do you think about this? Would you consider adding such 
> > > > > > feature?
> > > > > > Would you accept patches?
> > > > > > 
> > > > > Can you please explain why samba needs to connect to IPA and change
> > > > > the passwords?
> > > > > In what role you use samba? As a file server or as something else?
> > > > > I am not sure I follow why you need the password change functionality.
> > > > > There is a way to setup Samba FS with IPA without trying to make IPA a
> > > > > back end for Samba.
> > > > > I can try to dig some writeups on the matter if you are interested.
> > > > Samba 3 when used as a PDC/BDC can use a LDAP server as its user/group
> > > > database. To do that samba connects with a privileged user to the LDAP
> > > > directory and manages some attributes of users and groups in the
> > > > directory, adding the sambaSAMAccount objectclass and the sambaSID
> > > > attribute to users, groups and machines of the domain.
> > > > 
> > > > When users of Windows workstations in a samba domain change their
> > > > passwords samba updates the sambaNTPassword, userPassword,
> > > > sambaLastPwdChange, sambaPwdMustChange attributes of the corresponding
> > > > ldap user.
> > > > 
> > > > Using freeIPA as ldap user backend for samba works quite well, except
> > > > for the password policy problem mentioned in last mail and that it is
> > > > hard to mantain in sync the enabled/disabled status of an account. 
> > > 
> > > What is the value of using FreeIPA as a Samba back end in
> > > comparison to other variants?
> > > Why IPA is more interesting than say 389-DS or OpenLDAP or native
> > > Samba?
> > 
> > IPA will keep all of your passwords in sync - userPassword,
> > sambaNTPassword, sambaLMPassword, and your kerberos passwords.  389
> > cannot do this - the functionality that does this is provided by an
> > IPA password plugin.  Openldap has a similar plugin, but I think it
> > is "contrib" and not "officially supported".
> > 
> 
> 
> I know that Endi did the work to make 389 be a viable back end for
> Samba and it passed all the Samba torture tests so I am not sure I
> agree with you. Samba does the kerberos operations itself and uses
> LDAP as a storage only. This is why I am struggling to understand the
> use case. It seems that Loris has a different configuration that I do
> not quite understand, thus questions.
> 
> > > What other features of IPA are used in such setup?
> > > 
> > > Answering these (and may be other) questions would help us to
> > > understand how common is the use case that you brought up.

First of all, the use case is that of using Samba 3 as a Domain
Controller. Here in Venezuela the government itself promotes the use of
free software so most government agencies and industries won't install
Active Directory to administer windows desktops. There are some medium
to large deployments of Samba 3 as a domain controller here, and there
are a number of Linux desktops deployed in the same networks.

When you use Samba 3 as a Domain Controller with a largish number of
users and machines is mandatory to use a Ldap server as a backend, and
for that you have basically two choices which are of course OpenLdap and
389-DS, but those servers have to be combined w

Re: [Freeipa-devel] freeIPA as a samba backend

2012-06-26 Thread Alexander Bokovoy

On Tue, 26 Jun 2012, Endi Sukma Dewata wrote:

On 6/26/2012 12:53 PM, Rich Megginson wrote:

IPA will keep all of your passwords in sync - userPassword,
sambaNTPassword, sambaLMPassword, and your kerberos passwords. 389
cannot do this - the functionality that does this is provided by an
IPA password plugin.  Openldap has a similar plugin, but I think it
is "contrib" and not "officially supported".


I know that Endi did the work to make 389 be a viable back end for
Samba and it passed all the Samba torture tests so I am not sure I
agree with you.


Was that for samba4 or samba3?


It was for Samba 4, but that was done a while ago. I'm not sure the 
current status of the code. It worked up to some point, but it's no 
longer maintained due to lack of OpenLDAP experts to make further 
modification since this involves Samba code that are shared between 
both backends.

Samba4 deprecated LDAP backend long time ago. Only ldb backend is
supported.

smbd in Samba4 is still using the same PDB interface as Samba 3 and has
traditional ldapsam module that Loris is using (most likely). For Samba4
AD DC integration it has few Samba4 specific modules, both for PDB and
VFS interfaces.

ipasam module in FreeIPAv3 is expansion of ldapsam to support trusted
domains and works with smbd from Samba4. This module is using new schema
for Samba-specific attributes introduced in FreeIPAv3, which values are
co-maintained by various slapd plugins and ipasam, as well as new
FreeIPA kdb driver for MIT Kerberos KDC.

Turning back to original Dmitri's question: besides file serving
capabilities, what are other use cases that could be solved by a
combination of FreeIPA and Samba member server? As FreeIPA provides
alternative means to join machines to a single realm (FreeIPA Kerberos
realm) and maintain them reliably with sssd, Samba DC functionality
in pure FreeIPA setup seems to be of less importance.

If there is a need to join Windows machines to FreeIPA setup without
utilizing Active Directory domain, then I'd like also to hear how
important is that. Right now we miss few capabilities in FreeIPAv3
to make Samba 4's smbd a non-Active Directory DC (a.k.a. classic NT-style
domain with enhanced encryption) and knowing how important this integrated
setup is would help prioritising features.
--
/ Alexander Bokovoy

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] freeIPA as a samba backend

2012-06-26 Thread Endi Sukma Dewata

On 6/26/2012 12:53 PM, Rich Megginson wrote:

IPA will keep all of your passwords in sync - userPassword,
sambaNTPassword, sambaLMPassword, and your kerberos passwords. 389
cannot do this - the functionality that does this is provided by an
IPA password plugin.  Openldap has a similar plugin, but I think it
is "contrib" and not "officially supported".


I know that Endi did the work to make 389 be a viable back end for
Samba and it passed all the Samba torture tests so I am not sure I
agree with you.


Was that for samba4 or samba3?


It was for Samba 4, but that was done a while ago. I'm not sure the 
current status of the code. It worked up to some point, but it's no 
longer maintained due to lack of OpenLDAP experts to make further 
modification since this involves Samba code that are shared between both 
backends.


--
Endi S. Dewata


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] freeIPA as a samba backend

2012-06-26 Thread Rich Megginson

On 06/26/2012 11:39 AM, Dmitri Pal wrote:

On 06/26/2012 01:28 PM, Rich Megginson wrote:

On 06/26/2012 11:13 AM, Dmitri Pal wrote:

On 06/26/2012 11:11 AM, Loris Santamaria wrote:

El mar, 26-06-2012 a las 10:35 -0400, Dmitri Pal escribió:

On 06/25/2012 09:02 PM, Loris Santamaria wrote:

Hi,

while using freeIPA as a user database for a samba installation I found
a problem in the enforcement of password policies. FreeIPA password
policies are more detailed than samba's, in freeIPA one may enforce
password history and the number of character classes in a password, but
normally samba connects to freeIPA with the "Directory Manager" so those
policies are not enforced.

Reading the source of ipa_pwd_extop I see there are three possibilities
when changing passwords:

   * Password change by the user, with full enforcement of policies
   * Password change by an admin, with no enforcement of policies and
 the new password is set as expired so the user has to change it
 on next logon
   * Password change by Directory Manager, with no enforcement of
 policies and the password is not set as expired.

None of the aforementioned possibilities are ideal for samba, samba
should connect to freeIPA with a user privileged enough to change
password for all users but with fully enforced policies.

What do you think about this? Would you consider adding such feature?
Would you accept patches?


Can you please explain why samba needs to connect to IPA and change
the passwords?
In what role you use samba? As a file server or as something else?
I am not sure I follow why you need the password change functionality.
There is a way to setup Samba FS with IPA without trying to make IPA a
back end for Samba.
I can try to dig some writeups on the matter if you are interested.

Samba 3 when used as a PDC/BDC can use a LDAP server as its user/group
database. To do that samba connects with a privileged user to the LDAP
directory and manages some attributes of users and groups in the
directory, adding the sambaSAMAccount objectclass and the sambaSID
attribute to users, groups and machines of the domain.

When users of Windows workstations in a samba domain change their
passwords samba updates the sambaNTPassword, userPassword,
sambaLastPwdChange, sambaPwdMustChange attributes of the corresponding
ldap user.

Using freeIPA as ldap user backend for samba works quite well, except
for the password policy problem mentioned in last mail and that it is
hard to mantain in sync the enabled/disabled status of an account.


What is the value of using FreeIPA as a Samba back end in comparison 
to other variants?

Why IPA is more interesting than say 389-DS or OpenLDAP or native Samba?


IPA will keep all of your passwords in sync - userPassword, 
sambaNTPassword, sambaLMPassword, and your kerberos passwords.  389 
cannot do this - the functionality that does this is provided by an 
IPA password plugin.  Openldap has a similar plugin, but I think it 
is "contrib" and not "officially supported".





I know that Endi did the work to make 389 be a viable back end for 
Samba and it passed all the Samba torture tests so I am not sure I 
agree with you.


Was that for samba4 or samba3?


Samba does the kerberos operations itself and uses LDAP as a storage only.


Samba4 or samba3?

This is why I am struggling to understand the use case. It seems that 
Loris has a different configuration that I do not quite understand, 
thus questions.



What other features of IPA are used in such setup?

Answering these (and may be other) questions would help us to 
understand how common is the use case that you brought up.




___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel



--
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/




___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel





--
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/




___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] freeIPA as a samba backend

2012-06-26 Thread Dmitri Pal
On 06/26/2012 01:28 PM, Rich Megginson wrote:
> On 06/26/2012 11:13 AM, Dmitri Pal wrote:
>> On 06/26/2012 11:11 AM, Loris Santamaria wrote:
>>> El mar, 26-06-2012 a las 10:35 -0400, Dmitri Pal escribió:
 On 06/25/2012 09:02 PM, Loris Santamaria wrote: 
> Hi,
>
> while using freeIPA as a user database for a samba installation I found
> a problem in the enforcement of password policies. FreeIPA password
> policies are more detailed than samba's, in freeIPA one may enforce
> password history and the number of character classes in a password, but
> normally samba connects to freeIPA with the "Directory Manager" so those
> policies are not enforced.
>
> Reading the source of ipa_pwd_extop I see there are three possibilities
> when changing passwords:
>
>   * Password change by the user, with full enforcement of policies
>   * Password change by an admin, with no enforcement of policies and
> the new password is set as expired so the user has to change it
> on next logon
>   * Password change by Directory Manager, with no enforcement of
> policies and the password is not set as expired.
>
> None of the aforementioned possibilities are ideal for samba, samba
> should connect to freeIPA with a user privileged enough to change
> password for all users but with fully enforced policies.
>
> What do you think about this? Would you consider adding such feature?
> Would you accept patches?
>
 Can you please explain why samba needs to connect to IPA and change
 the passwords?
 In what role you use samba? As a file server or as something else?
 I am not sure I follow why you need the password change functionality.
 There is a way to setup Samba FS with IPA without trying to make IPA a
 back end for Samba.
 I can try to dig some writeups on the matter if you are interested.
>>> Samba 3 when used as a PDC/BDC can use a LDAP server as its user/group
>>> database. To do that samba connects with a privileged user to the LDAP
>>> directory and manages some attributes of users and groups in the
>>> directory, adding the sambaSAMAccount objectclass and the sambaSID
>>> attribute to users, groups and machines of the domain.
>>>
>>> When users of Windows workstations in a samba domain change their
>>> passwords samba updates the sambaNTPassword, userPassword,
>>> sambaLastPwdChange, sambaPwdMustChange attributes of the corresponding
>>> ldap user.
>>>
>>> Using freeIPA as ldap user backend for samba works quite well, except
>>> for the password policy problem mentioned in last mail and that it is
>>> hard to mantain in sync the enabled/disabled status of an account. 
>>
>> What is the value of using FreeIPA as a Samba back end in comparison
>> to other variants?
>> Why IPA is more interesting than say 389-DS or OpenLDAP or native Samba?
>
> IPA will keep all of your passwords in sync - userPassword,
> sambaNTPassword, sambaLMPassword, and your kerberos passwords.  389
> cannot do this - the functionality that does this is provided by an
> IPA password plugin.  Openldap has a similar plugin, but I think it is
> "contrib" and not "officially supported".
>


I know that Endi did the work to make 389 be a viable back end for Samba
and it passed all the Samba torture tests so I am not sure I agree with
you. Samba does the kerberos operations itself and uses LDAP as a
storage only. This is why I am struggling to understand the use case. It
seems that Loris has a different configuration that I do not quite
understand, thus questions.

>> What other features of IPA are used in such setup?
>>
>> Answering these (and may be other) questions would help us to
>> understand how common is the use case that you brought up.
>>
>>>
>>> ___
>>> Freeipa-devel mailing list
>>> Freeipa-devel@redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>
>>
>> -- 
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager IPA project,
>> Red Hat Inc.
>>
>>
>> ---
>> Looking to carve out IT costs?
>> www.redhat.com/carveoutcosts/
>>
>>
>>
>>
>> ___
>> Freeipa-devel mailing list
>> Freeipa-devel@redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] freeIPA as a samba backend

2012-06-26 Thread Rich Megginson

On 06/26/2012 11:13 AM, Dmitri Pal wrote:

On 06/26/2012 11:11 AM, Loris Santamaria wrote:

El mar, 26-06-2012 a las 10:35 -0400, Dmitri Pal escribió:

On 06/25/2012 09:02 PM, Loris Santamaria wrote:

Hi,

while using freeIPA as a user database for a samba installation I found
a problem in the enforcement of password policies. FreeIPA password
policies are more detailed than samba's, in freeIPA one may enforce
password history and the number of character classes in a password, but
normally samba connects to freeIPA with the "Directory Manager" so those
policies are not enforced.

Reading the source of ipa_pwd_extop I see there are three possibilities
when changing passwords:

   * Password change by the user, with full enforcement of policies
   * Password change by an admin, with no enforcement of policies and
 the new password is set as expired so the user has to change it
 on next logon
   * Password change by Directory Manager, with no enforcement of
 policies and the password is not set as expired.

None of the aforementioned possibilities are ideal for samba, samba
should connect to freeIPA with a user privileged enough to change
password for all users but with fully enforced policies.

What do you think about this? Would you consider adding such feature?
Would you accept patches?


Can you please explain why samba needs to connect to IPA and change
the passwords?
In what role you use samba? As a file server or as something else?
I am not sure I follow why you need the password change functionality.
There is a way to setup Samba FS with IPA without trying to make IPA a
back end for Samba.
I can try to dig some writeups on the matter if you are interested.

Samba 3 when used as a PDC/BDC can use a LDAP server as its user/group
database. To do that samba connects with a privileged user to the LDAP
directory and manages some attributes of users and groups in the
directory, adding the sambaSAMAccount objectclass and the sambaSID
attribute to users, groups and machines of the domain.

When users of Windows workstations in a samba domain change their
passwords samba updates the sambaNTPassword, userPassword,
sambaLastPwdChange, sambaPwdMustChange attributes of the corresponding
ldap user.

Using freeIPA as ldap user backend for samba works quite well, except
for the password policy problem mentioned in last mail and that it is
hard to mantain in sync the enabled/disabled status of an account.


What is the value of using FreeIPA as a Samba back end in comparison 
to other variants?

Why IPA is more interesting than say 389-DS or OpenLDAP or native Samba?


IPA will keep all of your passwords in sync - userPassword, 
sambaNTPassword, sambaLMPassword, and your kerberos passwords.  389 
cannot do this - the functionality that does this is provided by an IPA 
password plugin.  Openldap has a similar plugin, but I think it is 
"contrib" and not "officially supported".



What other features of IPA are used in such setup?

Answering these (and may be other) questions would help us to 
understand how common is the use case that you brought up.




___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel



--
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/




___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] freeIPA as a samba backend

2012-06-26 Thread Dmitri Pal
On 06/26/2012 11:11 AM, Loris Santamaria wrote:
> El mar, 26-06-2012 a las 10:35 -0400, Dmitri Pal escribió:
>> On 06/25/2012 09:02 PM, Loris Santamaria wrote: 
>>> Hi,
>>>
>>> while using freeIPA as a user database for a samba installation I found
>>> a problem in the enforcement of password policies. FreeIPA password
>>> policies are more detailed than samba's, in freeIPA one may enforce
>>> password history and the number of character classes in a password, but
>>> normally samba connects to freeIPA with the "Directory Manager" so those
>>> policies are not enforced.
>>>
>>> Reading the source of ipa_pwd_extop I see there are three possibilities
>>> when changing passwords:
>>>
>>>   * Password change by the user, with full enforcement of policies
>>>   * Password change by an admin, with no enforcement of policies and
>>> the new password is set as expired so the user has to change it
>>> on next logon
>>>   * Password change by Directory Manager, with no enforcement of
>>> policies and the password is not set as expired.
>>>
>>> None of the aforementioned possibilities are ideal for samba, samba
>>> should connect to freeIPA with a user privileged enough to change
>>> password for all users but with fully enforced policies.
>>>
>>> What do you think about this? Would you consider adding such feature?
>>> Would you accept patches?
>>>
>> Can you please explain why samba needs to connect to IPA and change
>> the passwords?
>> In what role you use samba? As a file server or as something else?
>> I am not sure I follow why you need the password change functionality.
>> There is a way to setup Samba FS with IPA without trying to make IPA a
>> back end for Samba.
>> I can try to dig some writeups on the matter if you are interested.
> Samba 3 when used as a PDC/BDC can use a LDAP server as its user/group
> database. To do that samba connects with a privileged user to the LDAP
> directory and manages some attributes of users and groups in the
> directory, adding the sambaSAMAccount objectclass and the sambaSID
> attribute to users, groups and machines of the domain.
>
> When users of Windows workstations in a samba domain change their
> passwords samba updates the sambaNTPassword, userPassword,
> sambaLastPwdChange, sambaPwdMustChange attributes of the corresponding
> ldap user.
>
> Using freeIPA as ldap user backend for samba works quite well, except
> for the password policy problem mentioned in last mail and that it is
> hard to mantain in sync the enabled/disabled status of an account. 

What is the value of using FreeIPA as a Samba back end in comparison to
other variants?
Why IPA is more interesting than say 389-DS or OpenLDAP or native Samba?
What other features of IPA are used in such setup?

Answering these (and may be other) questions would help us to understand
how common is the use case that you brought up.

>
> ___
> Freeipa-devel mailing list
> Freeipa-devel@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] freeIPA as a samba backend

2012-06-26 Thread Loris Santamaria
El mar, 26-06-2012 a las 10:35 -0400, Dmitri Pal escribió:
> On 06/25/2012 09:02 PM, Loris Santamaria wrote: 
> > Hi,
> > 
> > while using freeIPA as a user database for a samba installation I found
> > a problem in the enforcement of password policies. FreeIPA password
> > policies are more detailed than samba's, in freeIPA one may enforce
> > password history and the number of character classes in a password, but
> > normally samba connects to freeIPA with the "Directory Manager" so those
> > policies are not enforced.
> > 
> > Reading the source of ipa_pwd_extop I see there are three possibilities
> > when changing passwords:
> > 
> >   * Password change by the user, with full enforcement of policies
> >   * Password change by an admin, with no enforcement of policies and
> > the new password is set as expired so the user has to change it
> > on next logon
> >   * Password change by Directory Manager, with no enforcement of
> > policies and the password is not set as expired.
> > 
> > None of the aforementioned possibilities are ideal for samba, samba
> > should connect to freeIPA with a user privileged enough to change
> > password for all users but with fully enforced policies.
> > 
> > What do you think about this? Would you consider adding such feature?
> > Would you accept patches?
> > 
> 
> Can you please explain why samba needs to connect to IPA and change
> the passwords?
> In what role you use samba? As a file server or as something else?
> I am not sure I follow why you need the password change functionality.
> There is a way to setup Samba FS with IPA without trying to make IPA a
> back end for Samba.
> I can try to dig some writeups on the matter if you are interested.

Samba 3 when used as a PDC/BDC can use a LDAP server as its user/group
database. To do that samba connects with a privileged user to the LDAP
directory and manages some attributes of users and groups in the
directory, adding the sambaSAMAccount objectclass and the sambaSID
attribute to users, groups and machines of the domain.

When users of Windows workstations in a samba domain change their
passwords samba updates the sambaNTPassword, userPassword,
sambaLastPwdChange, sambaPwdMustChange attributes of the corresponding
ldap user.

Using freeIPA as ldap user backend for samba works quite well, except
for the password policy problem mentioned in last mail and that it is
hard to mantain in sync the enabled/disabled status of an account. 

-- 
Loris Santamaria   linux user #70506   xmpp:lo...@lgs.com.ve
Links Global Services, C.A.http://www.lgs.com.ve
Tel: 0286 952.06.87  Cel: 0414 095.00.10  sip:1...@lgs.com.ve

"If I'd asked my customers what they wanted, they'd have said
a faster horse" - Henry Ford


smime.p7s
Description: S/MIME cryptographic signature
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] freeIPA as a samba backend

2012-06-26 Thread Rob Crittenden

Loris Santamaria wrote:

Hi,

while using freeIPA as a user database for a samba installation I found
a problem in the enforcement of password policies. FreeIPA password
policies are more detailed than samba's, in freeIPA one may enforce
password history and the number of character classes in a password, but
normally samba connects to freeIPA with the "Directory Manager" so those
policies are not enforced.

Reading the source of ipa_pwd_extop I see there are three possibilities
when changing passwords:

   * Password change by the user, with full enforcement of policies
   * Password change by an admin, with no enforcement of policies and
 the new password is set as expired so the user has to change it
 on next logon
   * Password change by Directory Manager, with no enforcement of
 policies and the password is not set as expired.

None of the aforementioned possibilities are ideal for samba, samba
should connect to freeIPA with a user privileged enough to change
password for all users but with fully enforced policies.

What do you think about this? Would you consider adding such feature?
Would you accept patches?


This would bump up the complexity a bit as we'd need a fourth class of 
password change types. This could be managed similar to the passsync_dn 
list. You'd need to bind to the IPA LDAP server using a special account, 
which is probably a better idea than DM anyway.


Yes, patches are accepted.

regards

rob

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] freeIPA as a samba backend

2012-06-26 Thread Dmitri Pal
On 06/25/2012 09:02 PM, Loris Santamaria wrote:
> Hi,
>
> while using freeIPA as a user database for a samba installation I found
> a problem in the enforcement of password policies. FreeIPA password
> policies are more detailed than samba's, in freeIPA one may enforce
> password history and the number of character classes in a password, but
> normally samba connects to freeIPA with the "Directory Manager" so those
> policies are not enforced.
>
> Reading the source of ipa_pwd_extop I see there are three possibilities
> when changing passwords:
>
>   * Password change by the user, with full enforcement of policies
>   * Password change by an admin, with no enforcement of policies and
> the new password is set as expired so the user has to change it
> on next logon
>   * Password change by Directory Manager, with no enforcement of
> policies and the password is not set as expired.
>
> None of the aforementioned possibilities are ideal for samba, samba
> should connect to freeIPA with a user privileged enough to change
> password for all users but with fully enforced policies.
>
> What do you think about this? Would you consider adding such feature?
> Would you accept patches?
>

Can you please explain why samba needs to connect to IPA and change the
passwords?
In what role you use samba? As a file server or as something else?
I am not sure I follow why you need the password change functionality.
There is a way to setup Samba FS with IPA without trying to make IPA a
back end for Samba.
I can try to dig some writeups on the matter if you are interested.

>  
>
>
> ___
> Freeipa-devel mailing list
> Freeipa-devel@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] freeIPA as a samba backend

2012-06-26 Thread Loris Santamaria
Hi,

while using freeIPA as a user database for a samba installation I found
a problem in the enforcement of password policies. FreeIPA password
policies are more detailed than samba's, in freeIPA one may enforce
password history and the number of character classes in a password, but
normally samba connects to freeIPA with the "Directory Manager" so those
policies are not enforced.

Reading the source of ipa_pwd_extop I see there are three possibilities
when changing passwords:

  * Password change by the user, with full enforcement of policies
  * Password change by an admin, with no enforcement of policies and
the new password is set as expired so the user has to change it
on next logon
  * Password change by Directory Manager, with no enforcement of
policies and the password is not set as expired.

None of the aforementioned possibilities are ideal for samba, samba
should connect to freeIPA with a user privileged enough to change
password for all users but with fully enforced policies.

What do you think about this? Would you consider adding such feature?
Would you accept patches?

 
-- 
Loris Santamaria   linux user #70506   xmpp:lo...@lgs.com.ve
Links Global Services, C.A.http://www.lgs.com.ve
Tel: 0286 952.06.87  Cel: 0414 095.00.10  sip:1...@lgs.com.ve

"If I'd asked my customers what they wanted, they'd have said
a faster horse" - Henry Ford


smime.p7s
Description: S/MIME cryptographic signature
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel