[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: smbk5pwd and ppolicy working together

To: openldap-software <openldap-software@openldap.org>
Subject: Re: smbk5pwd and ppolicy working together
From: Adam Tauno Williams <adamtaunowilliams@gmail.com>
Date: Thu, 03 Apr 2008 15:10:05 -0400
In-reply-to: <47F51F1C.70902@archer-group.com>
References: <47F27B2A.5060607@archer-group.com> <47F28040.90304@tranquil-it-systems.fr> <47F28816.3010504@archer-group.com> <47F29112.3040909@archer-group.com> <1207085230.24284.44.camel@localhost> <47F2AB5A.2020401@archer-group.com> <1207145959.7936.13.camel@WM_ADAM1.morrison.iserv.net> <47F3BA17.3090205@archer-group.com> <47F491D0.8090001@symas.com> <47F4FEEE.80708@archer-group.com> <47F5072E.1030109@symas.com> <47F51F1C.70902@archer-group.com>

> Let me ask two theoretical questions, before I submit my comments
> below.  Windows XP/2000/et. al. send their passwords via SMB hashed. 
> So, without configuring those workstations to send the passwords
> plaintext over the wire, is there any way for ppolicy to act on the
> ldapmodify initiated by Samba from Windows clients attempting to change
> their passwords? 

You do *NOT* need to configure the clients to use cleartext password -
which BTW would break domain functionality anyway.

Samba has a cleartext equivalent of the password when you do a password
change,  else how would password chat scripts work?

> Furthermore, if the above change is made so that ppolicy can evaluate
> the plaintext password, what exactly will the interaction between LDAP
> and the clients be if it fails to clear ppolicy constraints?

References:
- smbk5pwd and ppolicy working together
  - From: Ryan Steele <rsteele@archer-group.com>
- Re: smbk5pwd and ppolicy working together
  - From: Pat Riehecky <prieheck@iwu.edu>
- Re: smbk5pwd and ppolicy working together
  - From: Ryan Steele <rsteele@archer-group.com>
- Re: smbk5pwd and ppolicy working together
  - From: Adam Tauno Williams <adamtaunowilliams@gmail.com>
- Re: smbk5pwd and ppolicy working together
  - From: Ryan Steele <rsteele@archer-group.com>
- Re: smbk5pwd and ppolicy working together
  - From: Howard Chu <hyc@symas.com>
- Re: smbk5pwd and ppolicy working together
  - From: Ryan Steele <rsteele@archer-group.com>
- Re: smbk5pwd and ppolicy working together
  - From: Howard Chu <hyc@symas.com>
- Re: smbk5pwd and ppolicy working together
  - From: Ryan Steele <rsteele@archer-group.com>

Prev by Date: Re: syncrepl with accesslog database
Next by Date: Re: smbk5pwd and ppolicy working together
Index(es):
- Chronological
- Thread