[Freeipa-devel] freeIPA as a samba backend

Dmitri Pal dpal at redhat.com
Tue Jun 26 17:13:18 UTC 2012 

On 06/26/2012 11:11 AM, Loris Santamaria wrote:
> El mar, 26-06-2012 a las 10:35 -0400, Dmitri Pal escribió:
>> On 06/25/2012 09:02 PM, Loris Santamaria wrote: 
>>> Hi,
>>>
>>> while using freeIPA as a user database for a samba installation I found
>>> a problem in the enforcement of password policies. FreeIPA password
>>> policies are more detailed than samba's, in freeIPA one may enforce
>>> password history and the number of character classes in a password, but
>>> normally samba connects to freeIPA with the "Directory Manager" so those
>>> policies are not enforced.
>>>
>>> Reading the source of ipa_pwd_extop I see there are three possibilities
>>> when changing passwords:
>>>
>>>       * Password change by the user, with full enforcement of policies
>>>       * Password change by an admin, with no enforcement of policies and
>>>         the new password is set as expired so the user has to change it
>>>         on next logon
>>>       * Password change by Directory Manager, with no enforcement of
>>>         policies and the password is not set as expired.
>>>
>>> None of the aforementioned possibilities are ideal for samba, samba
>>> should connect to freeIPA with a user privileged enough to change
>>> password for all users but with fully enforced policies.
>>>
>>> What do you think about this? Would you consider adding such feature?
>>> Would you accept patches?
>>>
>> Can you please explain why samba needs to connect to IPA and change
>> the passwords?
>> In what role you use samba? As a file server or as something else?
>> I am not sure I follow why you need the password change functionality.
>> There is a way to setup Samba FS with IPA without trying to make IPA a
>> back end for Samba.
>> I can try to dig some writeups on the matter if you are interested.
> Samba 3 when used as a PDC/BDC can use a LDAP server as its user/group
> database. To do that samba connects with a privileged user to the LDAP
> directory and manages some attributes of users and groups in the
> directory, adding the sambaSAMAccount objectclass and the sambaSID
> attribute to users, groups and machines of the domain.
>
> When users of Windows workstations in a samba domain change their
> passwords samba updates the sambaNTPassword, userPassword,
> sambaLastPwdChange, sambaPwdMustChange attributes of the corresponding
> ldap user.
>
> Using freeIPA as ldap user backend for samba works quite well, except
> for the password policy problem mentioned in last mail and that it is
> hard to mantain in sync the enabled/disabled status of an account. 

What is the value of using FreeIPA as a Samba back end in comparison to
other variants?
Why IPA is more interesting than say 389-DS or OpenLDAP or native Samba?
What other features of IPA are used in such setup?

Answering these (and may be other) questions would help us to understand
how common is the use case that you brought up.

>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120626/80352c1e/attachment.htm>

More information about the Freeipa-devel mailing list