[Samba] Revisiting Samba's interaction with LDAP's ppolicy overlay

Ryan Steele ryans at aweber.com
Sun Oct 5 19:33:55 GMT 2008

Alexandre Biancalana wrote:
> On 10/2/08, Ryan Steele <ryans at aweber.com> wrote:
>> Volker Lendecke wrote:
>>> On Mon, Sep 29, 2008 at 10:14:01AM -0400, Adam Tauno Williams wrote:
>>>> This is, AFAIK, the only solution currently.  We do the
>>>> same thing.  It stinks.
>>> As I said in the former mail thread: Patches are welcome. If
>>> you really want it done quickly, some companies on
>>> http://samba.org/samba/support also offer development
>>> services.
>>> Volker
>>  Unfortunately, I suspect that many of the folks who probably want this done
>> are system administrators, not software developers.  As a systems
>> administrator, I do have the ability to write code, but all I really use in
>> my day-to-day life is Perl and Bash, maybe dabbling in some Python or Ruby.
>> As Samba is written primarily in C, I probably wouldn't write very good
>> patches for it - I find that my proficiency lies in the languages I actually
>> use now, not the ones I used during undergrad in college.  And while I'd
>> love just dump money in to the project (or have an employer do it), that's
>> just not always a reality (especially not the amounts needed to fund
>> development efforts).
>>  All that being said, I'd be curious to know where this lies in the current
>> development pipeline (if at all).  Again, I (and I believe the community)
>> think this would be very beneficial to Samba as a use and marketing tool,
>> and deserves some consideration.  I'm happy to do what I can - testing,
>> tracking down bugs (even if I can't submit working patches), and money when
>> I have it.  But mostly I rely on good developers to develop, so that I can
>> focus on my role in the chain - testing it and implementing it in real-world
>> situations, and promoting it by installing it in all applicable
>> environments.
>>  However, it can't be overstated how much I appreciate the work that has
>> been done up to this point on Samba - it's a fantastic piece of software.
>> Keep up the good work!
> Do we have any paper explaining the work that have to be done ? Or
> early patches (proof of concept) that could be used as starting point
> for this ?
I don't think there are either of those (officially).  The thread I
started back in April (which starts here:
http://lists.samba.org/archive/samba/2008-April/139711.html) has all the
technical details on exactly what happens currently, and suggestions
about how it could be fixed.  But, I can try and sum up the general idea
of what's wrong (as best I can remember, forgive me if I'm a little off
in some aspects - it's been several months since I've dealt with it),
and how it could be fixed.

Take the case where a Windows user has logged in to the Samba domain,
and attempts to change their password by hitting ctrl+alt+delete.  The
user provides their old password, and the new password, and sends both
to Samba.  Samba then checks to see what it's passdb backend is, which
in this case would be ldapsam:ldap://server, and as a result sends the
old and new password to LDAP.  If LDAP is using the ppolicy overlay, it
checks to see if the new password meets all the criteria defined in the
ppolicy.  Take the ppolicy entry I described in that thread:

56 cn=Password Policy,ou=Policies,dc=example,dc=com
cn: Password Policy
pwdAttribute: userPassword
pwdMaxAge: 3888000
pwdMinAge: 3468000
pwdMinLength: 6
pwdExpireWarning: 432000
pwdFailureCountInterval: 0
pwdMustChange: FALSE
pwdAllowUserChange: TRUE
pwdLockout: TRUE
pwdCheckQuality: 1
pwdGraceAuthNLimit: 0
pwdInHistory: 6
pwdMaxFailure: 2
pwdLockoutDuration: 60
objectClass: device
objectClass: pwdPolicy
objectClass: pwdPolicyChecker
objectClass: top
pwdCheckModule: check_password.so
pwdSafeModify: FALSE

This is an entry that is visible to ANYBODY who queries LDAP.  It uses
the above attributes to check if the password is sufficient - e.g.:

   Is it long enough (pwdMinLength - minimum six characters)?
   Is it one of the last 6 passwords (pwdInHistory)?
   Is it strong enough (pwdCheckModule - it uses check_password.so to
check the strength.... the check_password.so was a shared object created
by compiling a small C program I wrote that checked to see if the
password had at least 3 out of 4 of the following: one uppercase letter,
one lowercase letter, a number, and a punctuation mark.  The
pwdCheckModule has to be of the form described here:

If the user provided a password that only had numbers in it, it would
fail the pwdCheckModule check because it only met 1 of those 4 strength
criteria, and LDAP returns 0x13 (NT_STATUS_PASSWORD_RESTRICTION) and the
following message to Samba:

[2008/04/08 05:35:26, 10] lib/smbldap.c:smbldap_extended_operation(1472)
  Extended operation failed with error: Constraint violation (Password
fails quality checking policy)
[2008/04/08 05:35:26, 0] passdb/pdb_ldap.c:ldapsam_modify_entry(1644)
  ldapsam_modify_entry: LDAP Password could not be changed for user
tester: Constraint violation
        Password fails quality checking policy

But, instead of passing that message back to the user, Samba checks it's
own internal database to see what it should return to the client when it
gets NT_STATUS_PASSWORD_RESTRICTION, and returns that instead.  As a
result, you have to enforce the exact same checks you have in your LDAP
ppolicy in Samba as well (using pdbedit).

The ideal solution is described in this part of that old thread:
http://lists.samba.org/archive/samba/2008-April/139791.html.  All Samba
should really have to do is listen to the responses LDAP gives it.
Volker seemed to think this was feasible.


More information about the samba mailing list