--00504501586f17398e04868dddb7 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
2010/5/14 Michael Str=F6der michael@stroeder.com
online@mark.ziesemer.com wrote:
Full_Name: Mark A. Ziesemer Version: 2.4.21 / HEAD OS: Ubuntu Linux URL: ftp://ftp.openldap.org/incoming/smbk5pwd-shadow-b.patch Submission from: (NULL) (2001:470:1f11:3ae:dc54:73ba:be16:148)
Using the PasswordModify Extended Operation (exop) along with the
smbk5pwd slapd
overlay provides several benefits, but does not currently include the shadowLastChange attribute of the shadowAccount class. This means the shadowLastChange is missed from update, unless specially done along wit=
h
a
PasswordModify.
While I agree that this could be useful in general I'd rather argue that for Samba 3 'sambaPwdLastSet' should be set.
sambaPwdLastSet is already handled by the "samba" portion of this overlay.
'shadowLastChange' is rather a POSIX account attribute which from my
understanding is out-of-scope for slapo-smbk5pwd. Well, the scope could b=
e
extended...
I guess I wouldn't have any objections if all the references to "shadow" were renamed to "posix". However, the shadowLastChange attribute is part o= f the shadowAccount objectClass - with neither of these names referring to POSIX.
I had considered a separate overlay. However, in terms of purpose, shared code, functionality, and performance, it seems to make the most sense to include this addition into the smbk5pwd overlay.
Both pam_ldap and the Samba client support use of exop password changes. Additionally, pam_ldap doesn't appear to support hashing to SSHA (only MD5, which is also the default) - so setting to "exop" also allows for a stronge= r hash of the password to be stored.
With the unpatched overlay, doing an exop password change updates userPassword (used by POSIX), as well as all the Samba attributes: sambaLMPassword, sambaNTPassword, and sambaPwdLastSet . This allows Samba clients to use the updated password as well as seeing when the password was last set, but POSIX clients do not see an updated shadowLastChange. This patch adds support for the otherwise missing shadowLastChange, keeping everything consistent.
There are many issues posted online with all the password attributes except shadowLastChange getting updated. This patch should provide a solution for many of these cases.
Ciao, Michael.
-- Mark A. Ziesemer www.ziesemer.com
--00504501586f17398e04868dddb7 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
<div class=3D"gmail_quote">2010/5/14 Michael Str=F6der <span dir=3D"ltr">&l= t;<a href=3D"mailto:michael@stroeder.com">michael@stroeder.com</a>></spa= n><br><blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex;= border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"> <a href=3D"mailto:online@mark.ziesemer.com">online@mark.ziesemer.com</a> wr= ote:<br> > Full_Name: Mark A. Ziesemer<br> > Version: 2.4.21 / HEAD<br> > OS: Ubuntu Linux<br> > URL: <a href=3D"ftp://ftp.openldap.org/incoming/smbk5pwd-shadow-b.patc= h" target=3D"_blank">ftp://ftp.openldap.org/incoming/smbk5pwd-shadow-b.patc= h</a><br> > Submission from: (NULL) (2001:470:1f11:3ae:dc54:73ba:be16:148)<br> ><br> > Using the PasswordModify Extended Operation (exop) along with the smbk= 5pwd slapd<br> > overlay provides several benefits, but does not currently include the<= br> > shadowLastChange attribute of the shadowAccount class. =A0This means t= he<br> > shadowLastChange is missed from update, unless specially done along wi= th a<br> > PasswordModify.<br> <br> While I agree that this could be useful in general I'd rather argue tha= t for<br> Samba 3 'sambaPwdLastSet' should be set.<br></blockquote><div><br>s= ambaPwdLastSet is already handled by the "samba" portion of this = overlay. <br><br></div><blockquote class=3D"gmail_quote" style=3D"margin: 0= pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: = 1ex;">
'shadowLastChange' is rather a POSIX account attribute which from m= y<br> understanding is out-of-scope for slapo-smbk5pwd. Well, the scope could be<= br> extended...<br></blockquote><div><br>I guess I wouldn't have any object= ions if all the references to "shadow" were renamed to "posi= x".=A0 However, the shadowLastChange attribute is part of the shadowAc= count objectClass - with neither of these names referring to POSIX.<br> <br>I had considered a separate overlay.=A0 However, in terms of purpose, s= hared code, functionality, and performance, it seems to make the most sense= to include this addition into the smbk5pwd overlay.<br><br>Both pam_ldap a= nd the Samba client support use of exop password=20 changes.=A0 Additionally, pam_ldap doesn't appear to support hashing to= =20 SSHA (only MD5, which is also the default) - so setting to "exop"= also=20 allows for a stronger hash of the password to be stored.<br> <br>With the unpatched overlay, doing an exop password change updates userP= assword (used by POSIX), as well as all the Samba attributes: sambaLMPasswo= rd, sambaNTPassword, and sambaPwdLastSet .=A0 This allows Samba clients to = use the updated password as well as seeing when the password was last set, = but POSIX clients do not see an updated shadowLastChange.=A0 This patch add= s support for the otherwise missing shadowLastChange, keeping everything co= nsistent.<br> =A0<br>There are many issues posted online with all the password attributes= except shadowLastChange getting updated.=A0 This patch should provide a so= lution for many of these cases.<br><br></div><blockquote class=3D"gmail_quo= te" style=3D"margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204= , 204); padding-left: 1ex;">
<br> Ciao, Michael.<br></blockquote><div>=A0</div></div>--<br>Mark A. Ziesemer<b= r><a href=3D"http://www.ziesemer.com%22%3Ewww.ziesemer.com</a><br>
--00504501586f17398e04868dddb7--