Samba and the password policy draft

Andrew Bartlett abartlet at
Mon Mar 15 00:55:11 GMT 2004

On Mon, Mar 15, 2004 at 01:10:05PM +1300, Simon Annear wrote:
> Jim Sermersheim wrote:
> >  >>> Andrew Bartlett <abartlet at> 3/6/04 6:38:06 PM >>>
> >  >What I am looking for is some additional control or operation that may
> >  >be used by Samba/Heimdal/etc to say 'a user just logged in, with the
> >  >right password', and 'a user just tried to log in with a wrong
> >  >password'.
> > 
> > I'm toying with the notion of changing the draft such that it describes 
> > password policy decision points, and then refers to those decision 
> > points when talking about how to implement operations like bind and 
> > compare. Once this is done, it should be easy to create new operations 
> > (like those you mentioned) and specify which password policy decision 
> > points are invoked during those new operations.
> >  
> > The first thing I noticed when looking at doing this is that the current 
> > wording for bind (and compare) require server implementations to check 
> > for a locked account prior to performing the password comparison. I 
> > think we did this either as an optimization, or because we deemed it 
> > important to always check for the locked account condition. I think 
> > it'll be ok to just make a statement that this condition must be checked 
> > whether the password comparison succeeds or fails.
> >  
> > The only reason I bring this up is because the suggested operations 
> > above don't/can't follow the current pattern (unless there's also a 
> > 'this user is going to log in' precheck operation — yuk).

Kerberos (at least per win2k, but I think it is standard) checks
before the password is compared (leaks info on a disabled account
rather than info on the password itself), while NTLM checks the
password before checing the 'disabled' flag.  If you change the order,
things break....

However, as we don't tell the client the intermediate result, it
should not matter where in the sequence we check with LDAP.

> > Jim
> My two cents worth
> I know that the SunOne (JES) Directory server implements it's own 
> password lockout system.  I would expect that OpenLDAP should provide 
> the same functionality (I know it doesn't at this point in time).  I 
> believe that Novell and Microsoft's LDAP servers also all offer the same 
> functionality.
> I guess this means that if you're using samba via pam talking to LDAP, 
> when you try and authenticate as the user you would get back a error 49 
> (0x31) invalid credentials.

Except that this is compleatly incompatible with almost all Samba
users, because it requires plaintext passwords.

> My way of thinking is that this means much less to administer, and if a 
> user locks their account (via email, login, smb, whatever) then it is 
> locked across the board.  I'm sure everyone on this group has grappled 
> with keeping LDAP, NIS and Windows passwords synced - who wants to try 
> and keep accound lockout details synced as well.
> At the end of the day - one repository for user information, and the 
> least duplication of details the better.

This is what we hope to acheive.

Andrew Bartlett

More information about the samba-technical mailing list