[Samba] Revisiting Samba's interaction with LDAP's ppolicy overlay

Ryan Steele ryans at aweber.com
Sun Sep 28 21:07:18 GMT 2008

Volker Lendecke wrote:
> On Fri, Sep 26, 2008 at 12:16:22PM -0400, Ryan Steele wrote:
>> Some months back, I entertained a conversation with Volker Lendecke, 
>> Adam Tauno Williams, and Simo Sorce about getting Samba to play nice 
>> with LDAP's ppolicy overlay.  (Thread starts here: 
>> http://www.mail-archive.com/samba@lists.samba.org/msg92134.html and ends 
>> here: http://www.mail-archive.com/samba@lists.samba.org/msg92214.html)  
>> I was wondering if any progress had been made on this front that would 
>> make the job of maintaining PCI/DSS compliance for Samba PDC shops a bit 
>> more streamlined?  Certainly, there have to be more than a few folks out 
>> there who would see this as a huge leap for Samba, and give it more of 
>> an edge in the market?
> At least I'm not aware of anything that has been done.
> Sorry,
> Volker

Well, given that nothing has been done, what are other folks doing to 
synchronize Samba password policies with LDAP password policies?

I remember (and the aformentioned thread explains) the situation where a 
Windows client would attempt to change their password to something weak, 
and Samba would then ask LDAP if the password met the ppolicy 
restrictions.  If it didn't, LDAP would return a message stating that 
the password policy was violated, but Samba would return a completely 
unrelated error message (even though it clearly got the ppolicy message 
from LDAP).

My workaround was to implement the same security policy in Samba via 
pdbedit, so essentially the LDAP policies were duplicated in Samba.  
Another thread I was involved in back then 
(http://lists.samba.org/archive/samba/2008-April/139594.html) briefly 
describes this.  But, again, this is far from the perfect situation of 
having one universal way to enforce password policies, and still has 
it's share of problems.

I'd be interested to hear what others have done to circumvent or 
otherwise work around this type of problem.


More information about the samba mailing list