Samba and the password policy draft

Andrew Bartlett abartlet at
Sun Mar 7 01:38:06 GMT 2004

I have recently been made aware of the existence of 


and I would like to work with the ldapext group to make Samba suitable
for us with it, and the draft suitable for use with Samba (as well as a
number of other tools in this class, being Cyrus-SASL and Heimdal's
hdb-ldap in particular).

These tools all have one thing in common, that is that they do not
generally ship cleartext passwords to LDAP when checking passwords. 
Instead, they use administrative rights to read the user's password and
perform challenge-response on them.  

Similarly, these tools often do not have the original plaintext password
for password changes, only the new plaintext.  Again, this means that
these operations are performed as some administrative user.

However, I can see great value in ensuring that Samba complies with the
password policies in force on the rest of the directory, and more
particularly, to allow Samba password policies (in some way derived from
what MS does, as we match our NT4 semantics) to be set in the directory,
using both NT and native LDAP tools.

What I am looking for is some additional control or operation that may
be used by Samba/Heimdal/etc to say 'a user just logged in, with the
right password', and 'a user just tried to log in with a wrong

Likewise, some additional control to say 'this password change on behalf
of a user', would fix my second concern.  

I realise that these could be considered to be 'not LDAP's problem' (as
it regards password comparisons outside the directory), but in the
interests of seamless directory integration, I hope that some
accommodation can be made, particularly in the interests of
cross-protocol, cross-application consistency.

(Indeed Samba and some other tools may read the user's plaintext
password out of the userPassword attribute.  It would be a pity to
defeat the max bad password checks while attempting to make an
administrator's live *easier*...)

Finally, I apologise if I have messed up some of the finer details of
LDAP here.  While I have spent a lot of time (along with many others)
working of pdb_ldap in Samba, I am far from an LDAP guru...

Is this something the working group is willing to consider?

Andrew Bartlett
Andrew Bartlett                                 abartlet at
Manager, Authentication Subsystems, Samba Team  abartlet at
Student Network Administrator, Hawker College   abartlet at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list