[Freeipa-devel] freeIPA as a samba backend

[Rich Megginson]

On 06/26/2012 11:13 AM, Dmitri Pal wrote:
> On 06/26/2012 11:11 AM, Loris Santamaria wrote:
>> El mar, 26-06-2012 a las 10:35 -0400, Dmitri Pal escribió:
>>> On 06/25/2012 09:02 PM, Loris Santamaria wrote:
>>>> Hi,
>>>>
>>>> while using freeIPA as a user database for a samba installation I found
>>>> a problem in the enforcement of password policies. FreeIPA password
>>>> policies are more detailed than samba's, in freeIPA one may enforce
>>>> password history and the number of character classes in a password, but
>>>> normally samba connects to freeIPA with the "Directory Manager" so those
>>>> policies are not enforced.
>>>>
>>>> Reading the source of ipa_pwd_extop I see there are three possibilities
>>>> when changing passwords:
>>>>
>>>>        * Password change by the user, with full enforcement of policies
>>>>        * Password change by an admin, with no enforcement of policies and
>>>>          the new password is set as expired so the user has to change it
>>>>          on next logon
>>>>        * Password change by Directory Manager, with no enforcement of
>>>>          policies and the password is not set as expired.
>>>>
>>>> None of the aforementioned possibilities are ideal for samba, samba
>>>> should connect to freeIPA with a user privileged enough to change
>>>> password for all users but with fully enforced policies.
>>>>
>>>> What do you think about this? Would you consider adding such feature?
>>>> Would you accept patches?
>>>>
>>> Can you please explain why samba needs to connect to IPA and change
>>> the passwords?
>>> In what role you use samba? As a file server or as something else?
>>> I am not sure I follow why you need the password change functionality.
>>> There is a way to setup Samba FS with IPA without trying to make IPA a
>>> back end for Samba.
>>> I can try to dig some writeups on the matter if you are interested.
>> Samba 3 when used as a PDC/BDC can use a LDAP server as its user/group
>> database. To do that samba connects with a privileged user to the LDAP
>> directory and manages some attributes of users and groups in the
>> directory, adding the sambaSAMAccount objectclass and the sambaSID
>> attribute to users, groups and machines of the domain.
>>
>> When users of Windows workstations in a samba domain change their
>> passwords samba updates the sambaNTPassword, userPassword,
>> sambaLastPwdChange, sambaPwdMustChange attributes of the corresponding
>> ldap user.
>>
>> Using freeIPA as ldap user backend for samba works quite well, except
>> for the password policy problem mentioned in last mail and that it is
>> hard to mantain in sync the enabled/disabled status of an account.
>
> What is the value of using FreeIPA as a Samba back end in comparison 
> to other variants?
> Why IPA is more interesting than say 389-DS or OpenLDAP or native Samba?

IPA will keep all of your passwords in sync - userPassword, 
sambaNTPassword, sambaLMPassword, and your kerberos passwords.  389 
cannot do this - the functionality that does this is provided by an IPA 
password plugin.  Openldap has a similar plugin, but I think it is 
"contrib" and not "officially supported".

> What other features of IPA are used in such setup?
>
> Answering these (and may be other) questions would help us to 
> understand how common is the use case that you brought up.
>
>>
>> _______________________________________________
>> Freeipa-devel mailing list
>> Freeipa-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>
>
> -- 
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
>
>
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120626/fb39a070/attachment.htm>