[Freeipa-devel] freeIPA as a samba backend

Dmitri Pal dpal at redhat.com
Tue Jun 26 14:35:18 UTC 2012 

On 06/25/2012 09:02 PM, Loris Santamaria wrote:
> Hi,
>
> while using freeIPA as a user database for a samba installation I found
> a problem in the enforcement of password policies. FreeIPA password
> policies are more detailed than samba's, in freeIPA one may enforce
> password history and the number of character classes in a password, but
> normally samba connects to freeIPA with the "Directory Manager" so those
> policies are not enforced.
>
> Reading the source of ipa_pwd_extop I see there are three possibilities
> when changing passwords:
>
>       * Password change by the user, with full enforcement of policies
>       * Password change by an admin, with no enforcement of policies and
>         the new password is set as expired so the user has to change it
>         on next logon
>       * Password change by Directory Manager, with no enforcement of
>         policies and the password is not set as expired.
>
> None of the aforementioned possibilities are ideal for samba, samba
> should connect to freeIPA with a user privileged enough to change
> password for all users but with fully enforced policies.
>
> What do you think about this? Would you consider adding such feature?
> Would you accept patches?
>

Can you please explain why samba needs to connect to IPA and change the
passwords?
In what role you use samba? As a file server or as something else?
I am not sure I follow why you need the password change functionality.
There is a way to setup Samba FS with IPA without trying to make IPA a
back end for Samba.
I can try to dig some writeups on the matter if you are interested.

>  
>
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120626/b20525bb/attachment.htm>

More information about the Freeipa-devel mailing list