[Samba] 'check password script' and Join...

Rowland Penny rpenny at samba.org
Wed Oct 25 14:43:31 UTC 2017

On Wed, 25 Oct 2017 16:21:03 +0200
Marco Gaiarin via samba <samba at lists.samba.org> wrote:

> Mandi! Andrew Bartlett via samba
>   In chel di` si favelave...
> > Thanks for asking for clarification, I hope this puts you at ease.
> Sure! Thanks to you!
> Only a bit more:
> > > PS: and domain members? How they enforce passwords policies?
> > > Directly on AD DC, i suppose... but i'll ask. ;-)
> > They don't ask the DC for the choice of local user passwords as far
> > as I'm aware.  There is an API to check if a password is OK (SAMR
> > ValidatePassword), but I've not seen it called for that, but I've
> > also not really been looking. 
> No, i was not clear. I don't mean ''password quality'', but ''password
> age''.
> In NT/LDAP/smbldap-tools mode, i used to populate shadow account LDAP
> data, ''copying'' expiration date from Samba/Windows ones, so i've
> addedd NSS 'shadow' ldap context and the POSIX layer are aware of
> password expiration.
> I supposed now that password are checked against DC in a
> ''black/white'' way, eg if i try to authenticate i gat something like:
>  a) good
>  b) bad password
>  c) password expired, please change
>  d) account disabled
> Right?


> No one have tried to add 'shadow' context in winbind? I'm simply
> curious... ;-)

If you mean adding 'winbind' to the shadow line in /etc/nsswitch.conf,
then yes, this has been tried and it didn't work, in fact it broke
things ;-)

More information about the samba mailing list