[Samba] Revisiting Samba's interaction with LDAP's ppolicy overlay
Ryan Steele
ryans at aweber.com
Sun Sep 28 21:07:18 GMT 2008
Volker Lendecke wrote:
> On Fri, Sep 26, 2008 at 12:16:22PM -0400, Ryan Steele wrote:
>
>> Some months back, I entertained a conversation with Volker Lendecke,
>> Adam Tauno Williams, and Simo Sorce about getting Samba to play nice
>> with LDAP's ppolicy overlay. (Thread starts here:
>> http://www.mail-archive.com/samba@lists.samba.org/msg92134.html and ends
>> here: http://www.mail-archive.com/samba@lists.samba.org/msg92214.html)
>> I was wondering if any progress had been made on this front that would
>> make the job of maintaining PCI/DSS compliance for Samba PDC shops a bit
>> more streamlined? Certainly, there have to be more than a few folks out
>> there who would see this as a huge leap for Samba, and give it more of
>> an edge in the market?
>>
>
> At least I'm not aware of anything that has been done.
>
> Sorry,
>
> Volker
>
Well, given that nothing has been done, what are other folks doing to
synchronize Samba password policies with LDAP password policies?
I remember (and the aformentioned thread explains) the situation where a
Windows client would attempt to change their password to something weak,
and Samba would then ask LDAP if the password met the ppolicy
restrictions. If it didn't, LDAP would return a message stating that
the password policy was violated, but Samba would return a completely
unrelated error message (even though it clearly got the ppolicy message
from LDAP).
My workaround was to implement the same security policy in Samba via
pdbedit, so essentially the LDAP policies were duplicated in Samba.
Another thread I was involved in back then
(http://lists.samba.org/archive/samba/2008-April/139594.html) briefly
describes this. But, again, this is far from the perfect situation of
having one universal way to enforce password policies, and still has
it's share of problems.
I'd be interested to hear what others have done to circumvent or
otherwise work around this type of problem.
Respectfully,
Ryan
More information about the samba
mailing list