[Freeipa-devel] freeIPA as a samba backend

Tue Jun 26 17:39:39 UTC 2012

On 06/26/2012 01:28 PM, Rich Megginson wrote:
> On 06/26/2012 11:13 AM, Dmitri Pal wrote:
>> On 06/26/2012 11:11 AM, Loris Santamaria wrote:
>>> El mar, 26-06-2012 a las 10:35 -0400, Dmitri Pal escribió:
>>>> On 06/25/2012 09:02 PM, Loris Santamaria wrote: 
>>>>> Hi,
>>>>>
>>>>> while using freeIPA as a user database for a samba installation I found
>>>>> a problem in the enforcement of password policies. FreeIPA password
>>>>> policies are more detailed than samba's, in freeIPA one may enforce
>>>>> password history and the number of character classes in a password, but
>>>>> normally samba connects to freeIPA with the "Directory Manager" so those
>>>>> policies are not enforced.
>>>>>
>>>>> Reading the source of ipa_pwd_extop I see there are three possibilities
>>>>> when changing passwords:
>>>>>
>>>>>       * Password change by the user, with full enforcement of policies
>>>>>       * Password change by an admin, with no enforcement of policies and
>>>>>         the new password is set as expired so the user has to change it
>>>>>         on next logon
>>>>>       * Password change by Directory Manager, with no enforcement of
>>>>>         policies and the password is not set as expired.
>>>>>
>>>>> None of the aforementioned possibilities are ideal for samba, samba
>>>>> should connect to freeIPA with a user privileged enough to change
>>>>> password for all users but with fully enforced policies.
>>>>>
>>>>> What do you think about this? Would you consider adding such feature?
>>>>> Would you accept patches?
>>>>>
>>>> Can you please explain why samba needs to connect to IPA and change
>>>> the passwords?
>>>> In what role you use samba? As a file server or as something else?
>>>> I am not sure I follow why you need the password change functionality.
>>>> There is a way to setup Samba FS with IPA without trying to make IPA a
>>>> back end for Samba.
>>>> I can try to dig some writeups on the matter if you are interested.
>>> Samba 3 when used as a PDC/BDC can use a LDAP server as its user/group
>>> database. To do that samba connects with a privileged user to the LDAP
>>> directory and manages some attributes of users and groups in the
>>> directory, adding the sambaSAMAccount objectclass and the sambaSID
>>> attribute to users, groups and machines of the domain.
>>>
>>> When users of Windows workstations in a samba domain change their
>>> passwords samba updates the sambaNTPassword, userPassword,
>>> sambaLastPwdChange, sambaPwdMustChange attributes of the corresponding
>>> ldap user.
>>>
>>> Using freeIPA as ldap user backend for samba works quite well, except
>>> for the password policy problem mentioned in last mail and that it is
>>> hard to mantain in sync the enabled/disabled status of an account. 
>>
>> What is the value of using FreeIPA as a Samba back end in comparison
>> to other variants?
>> Why IPA is more interesting than say 389-DS or OpenLDAP or native Samba?
>
> IPA will keep all of your passwords in sync - userPassword,
> sambaNTPassword, sambaLMPassword, and your kerberos passwords.  389
> cannot do this - the functionality that does this is provided by an
> IPA password plugin.  Openldap has a similar plugin, but I think it is
> "contrib" and not "officially supported".
>

I know that Endi did the work to make 389 be a viable back end for Samba
and it passed all the Samba torture tests so I am not sure I agree with
you. Samba does the kerberos operations itself and uses LDAP as a
storage only. This is why I am struggling to understand the use case. It
seems that Loris has a different configuration that I do not quite
understand, thus questions.

>> What other features of IPA are used in such setup?
>>
>> Answering these (and may be other) questions would help us to
>> understand how common is the use case that you brought up.
>>
>>>
>>> _______________________________________________
>>> Freeipa-devel mailing list
>>> Freeipa-devel at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>
>>
>> -- 
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager IPA project,
>> Red Hat Inc.
>>
>>
>> -------------------------------
>> Looking to carve out IT costs?
>> www.redhat.com/carveoutcosts/
>>
>>
>>
>>
>> _______________________________________________
>> Freeipa-devel mailing list
>> Freeipa-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.

-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120626/2f6fef30/attachment.htm>