Like many before me I would love to get the smbk5pwd module up and running, but I have a question.
In OpenLDAP 2.4.7: If I set a password expiration time up (with ppolicy), and the user's password expires, does it lock the Heimdal, Samba, and ldap passwords?
On the flip side, if I set a password expiration time up (with smbk5pwd), and the user's password expires, does it lock the Heimdal, Samba, and ldap passwords?
Or perhaps more to the point, what can I do to keep all three of these passwords either all valid or all expired at the same time?
The documentation is a bit vague on this one point, and the archives left me still in confusion.....
Pat
Pat Riehecky wrote:
Like many before me I would love to get the smbk5pwd module up and running, but I have a question.
In OpenLDAP 2.4.7: If I set a password expiration time up (with ppolicy), and the user's password expires, does it lock the Heimdal, Samba, and ldap passwords?
No. The smbk5pwd overlay doesn't know about ppolicy, and vice versa. smbk5pwd could be patched to look for the ppolicy expiration, of course.
On the flip side, if I set a password expiration time up (with smbk5pwd), and the user's password expires, does it lock the Heimdal, Samba, and ldap passwords?
Likewise, no.
Or perhaps more to the point, what can I do to keep all three of these passwords either all valid or all expired at the same time?
Extend the smbk5pwd code to synchronize their different policy attributes, and submit your patch to the ITS.
The documentation is a bit vague on this one point, and the archives left me still in confusion.....
The documentation states exactly what the overlay will manage. Anything that isn't described is clearly not going to be managed.
Pat Riehecky skrev, on 07-01-2008 21:16:
Like many before me I would love to get the smbk5pwd module up and running, but I have a question.
In OpenLDAP 2.4.7: If I set a password expiration time up (with ppolicy), and the user's password expires, does it lock the Heimdal, Samba, and ldap passwords?
On the flip side, if I set a password expiration time up (with smbk5pwd), and the user's password expires, does it lock the Heimdal, Samba, and ldap passwords?
Or perhaps more to the point, what can I do to keep all three of these passwords either all valid or all expired at the same time?
The documentation is a bit vague on this one point, and the archives left me still in confusion.....
My site's been running an enforced user password-change policy since mid December last. We have both Linux and Samba clients.
OL ppolicy as such will only work for Linux clients using pam_ldap, though password changes using smbk5pwd do change the sambaLMPassword and sambaNTPassword attributes in sync (that's what the smbk5pwd overlay is for). Samba 3.x itself has no support for OL ppolicy and Samba equivalents have to be configured parallel to it, using the Samba pdbedit utility. Only Samba reads the Samba-specific LDAP attributes.
Linux password criteria should be enforced using pam's pam_cracklib component (this is particularly important if the site's using chaining of referrals). NT password strength can be ensured compiling and using using the crackcheck program included with the source.
Updating KerberosV tickets is a completely different kettle of fish and has nothing to do with ppolicy.
--Tonni
openldap-technical@openldap.org
-
Howard Chu -
Pat Riehecky -
Tony Earnshaw