password policy on samba 3.0
Aurélien Degrémont
adegremont at idealx.com
Wed Oct 29 13:43:52 GMT 2003
Andrew Bartlett wrote:
>On Tue, 2003-10-28 at 21:42, Aurélien Degrémont wrote:
>
>
>>Hi,
>>
>>We're presently working on patches concerning "password policy".
>>There is "where we are" :)
>>
>>In order to have these patches ready, some changes must be added to
>>SAM_ACCOUNTs.
>>And, to have these changes done, TDBSAM must be upgraded.
>>I have made a patch for TDBSAM which was proposed a week ago. I'm
>>wainting for Samba Team's comments.
>>
>>
>
>Any chance of doing the ldapsam part too? We might be able to get in
>everything except the TDB mods before the TDB format changes can be
>properly reviewed.
>
>
Except the atomicity stuff, a patch with ldamsam implementation have
already been posted a month ago (lock policy).
It was base on JianLiang Lu work and ported to Samba 3 final release
with many ameliorations and all backends accepts.
But you have objected some points as the need of atomic modifications
and transparent upgrade for tdbsam.
The first version of the patch for tdbsam is ready.
And i will soon start to implement feature for atomicity.
I will try to add, to the pdb_methods, a new functions 'increment...'
which will manage atomic increment to "counter fields" as bad_passwd_count.
I agree it will not be easy, but if it needed to add the "password
policy" patch, I will do it.
>>More over, if we want "password uniqueness", a new field must be added,
>>in order to store the former passwords.
>>I started a discution concerning the fields that must be added (a week
>>ago too), and i'm also waiting for comments about it.
>>
>>
>Any idea how microsoft stores them, or is it always an external plugin?
>
>
I don't know where they are stored. I suppose it's inside the win
registry but it's not sure.
Concerning Samba, as Simo said, a field with coma separated hashes
(salted) will be sufficient.
But, for all of this, modifications must be done to SAM_ACCOUNT, and so,
to the backends. Even if we just test it on LDAP, the schema will be
modified. Look at my previous patches.
Aurélien Degrémont
More information about the samba-technical
mailing list