[Samba] 'check password script' and Join...
Rowland Penny
rpenny at samba.org
Wed Oct 25 14:43:31 UTC 2017
On Wed, 25 Oct 2017 16:21:03 +0200
Marco Gaiarin via samba <samba at lists.samba.org> wrote:
> Mandi! Andrew Bartlett via samba
> In chel di` si favelave...
>
> > Thanks for asking for clarification, I hope this puts you at ease.
>
> Sure! Thanks to you!
>
>
> Only a bit more:
>
> > > PS: and domain members? How they enforce passwords policies?
> > > Directly on AD DC, i suppose... but i'll ask. ;-)
>
> > They don't ask the DC for the choice of local user passwords as far
> > as I'm aware. There is an API to check if a password is OK (SAMR
> > ValidatePassword), but I've not seen it called for that, but I've
> > also not really been looking.
>
> No, i was not clear. I don't mean ''password quality'', but ''password
> age''.
>
> In NT/LDAP/smbldap-tools mode, i used to populate shadow account LDAP
> data, ''copying'' expiration date from Samba/Windows ones, so i've
> addedd NSS 'shadow' ldap context and the POSIX layer are aware of
> password expiration.
>
> I supposed now that password are checked against DC in a
> ''black/white'' way, eg if i try to authenticate i gat something like:
> a) good
> b) bad password
> c) password expired, please change
> d) account disabled
>
> Right?
>
Yes
>
> No one have tried to add 'shadow' context in winbind? I'm simply
> curious... ;-)
>
If you mean adding 'winbind' to the shadow line in /etc/nsswitch.conf,
then yes, this has been tried and it didn't work, in fact it broke
things ;-)
Rowland
More information about the samba
mailing list