[Freeipa-devel] freeIPA as a samba backend

Tue Jun 26 17:53:02 UTC 2012

On 06/26/2012 11:39 AM, Dmitri Pal wrote:
> On 06/26/2012 01:28 PM, Rich Megginson wrote:
>> On 06/26/2012 11:13 AM, Dmitri Pal wrote:
>>> On 06/26/2012 11:11 AM, Loris Santamaria wrote:
>>>> El mar, 26-06-2012 a las 10:35 -0400, Dmitri Pal escribió:
>>>>> On 06/25/2012 09:02 PM, Loris Santamaria wrote:
>>>>>> Hi,
>>>>>>
>>>>>> while using freeIPA as a user database for a samba installation I found
>>>>>> a problem in the enforcement of password policies. FreeIPA password
>>>>>> policies are more detailed than samba's, in freeIPA one may enforce
>>>>>> password history and the number of character classes in a password, but
>>>>>> normally samba connects to freeIPA with the "Directory Manager" so those
>>>>>> policies are not enforced.
>>>>>>
>>>>>> Reading the source of ipa_pwd_extop I see there are three possibilities
>>>>>> when changing passwords:
>>>>>>
>>>>>>        * Password change by the user, with full enforcement of policies
>>>>>>        * Password change by an admin, with no enforcement of policies and
>>>>>>          the new password is set as expired so the user has to change it
>>>>>>          on next logon
>>>>>>        * Password change by Directory Manager, with no enforcement of
>>>>>>          policies and the password is not set as expired.
>>>>>>
>>>>>> None of the aforementioned possibilities are ideal for samba, samba
>>>>>> should connect to freeIPA with a user privileged enough to change
>>>>>> password for all users but with fully enforced policies.
>>>>>>
>>>>>> What do you think about this? Would you consider adding such feature?
>>>>>> Would you accept patches?
>>>>>>
>>>>> Can you please explain why samba needs to connect to IPA and change
>>>>> the passwords?
>>>>> In what role you use samba? As a file server or as something else?
>>>>> I am not sure I follow why you need the password change functionality.
>>>>> There is a way to setup Samba FS with IPA without trying to make IPA a
>>>>> back end for Samba.
>>>>> I can try to dig some writeups on the matter if you are interested.
>>>> Samba 3 when used as a PDC/BDC can use a LDAP server as its user/group
>>>> database. To do that samba connects with a privileged user to the LDAP
>>>> directory and manages some attributes of users and groups in the
>>>> directory, adding the sambaSAMAccount objectclass and the sambaSID
>>>> attribute to users, groups and machines of the domain.
>>>>
>>>> When users of Windows workstations in a samba domain change their
>>>> passwords samba updates the sambaNTPassword, userPassword,
>>>> sambaLastPwdChange, sambaPwdMustChange attributes of the corresponding
>>>> ldap user.
>>>>
>>>> Using freeIPA as ldap user backend for samba works quite well, except
>>>> for the password policy problem mentioned in last mail and that it is
>>>> hard to mantain in sync the enabled/disabled status of an account.
>>>
>>> What is the value of using FreeIPA as a Samba back end in comparison 
>>> to other variants?
>>> Why IPA is more interesting than say 389-DS or OpenLDAP or native Samba?
>>
>> IPA will keep all of your passwords in sync - userPassword, 
>> sambaNTPassword, sambaLMPassword, and your kerberos passwords.  389 
>> cannot do this - the functionality that does this is provided by an 
>> IPA password plugin.  Openldap has a similar plugin, but I think it 
>> is "contrib" and not "officially supported".
>>
>
>
> I know that Endi did the work to make 389 be a viable back end for 
> Samba and it passed all the Samba torture tests so I am not sure I 
> agree with you.

Was that for samba4 or samba3?

> Samba does the kerberos operations itself and uses LDAP as a storage only.

Samba4 or samba3?

> This is why I am struggling to understand the use case. It seems that 
> Loris has a different configuration that I do not quite understand, 
> thus questions.
>
>>> What other features of IPA are used in such setup?
>>>
>>> Answering these (and may be other) questions would help us to 
>>> understand how common is the use case that you brought up.
>>>
>>>>
>>>> _______________________________________________
>>>> Freeipa-devel mailing list
>>>> Freeipa-devel at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>>
>>>
>>> -- 
>>> Thank you,
>>> Dmitri Pal
>>>
>>> Sr. Engineering Manager IPA project,
>>> Red Hat Inc.
>>>
>>>
>>> -------------------------------
>>> Looking to carve out IT costs?
>>> www.redhat.com/carveoutcosts/
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Freeipa-devel mailing list
>>> Freeipa-devel at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>
>
>
> -- 
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120626/85a3f5d1/attachment.htm>