Re: smbk5pwd and ppolicy working together

[Howard Chu <hyc@symas.com>]

Ryan Steele wrote:
> Howard and others,
>
> Let me ask two theoretical questions, before I submit my comments
> below.  Windows XP/2000/et. al. send their passwords via SMB hashed.

That is not true for a password change request, so the rest of this question 
is irrelevant.

> So, without configuring those workstations to send the passwords
> plaintext over the wire, is there any way for ppolicy to act on the
> ldapmodify initiated by Samba from Windows clients attempting to change
> their passwords?

> Furthermore, if the above change is made so that ppolicy can evaluate
> the plaintext password, what exactly will the interaction between LDAP
> and the clients be if it fails to clear ppolicy constraints?

When you get it working you'll know. Questions of the form "what will happen 
if" will always get answered by "try it and see."

> > This is syslog output, not debug output. I said to bump up the debug
> > level.
>
> Maybe I'm misunderstanding.  From the slapd.conf manpage:
>
> loglevel<integer>  [...]
>                Specify the level at which debugging statements and
> operation statistics should be syslogged (currently logged to  the
> syslogd(8)  LOG_LOCAL4  facility).
>
> I thought "debugging statements" is what you wanted?  When I start slapd
> with the -d option, I seem to get the same output as when I specify
> 'loglevel N' in the slapd.conf.

As I've said countless times - syslog is not a debugging tool. It is lossy; 
when the syslog daemon gets too busy it discards messages. If it could be used 
for everything there would be no need for us to provide a "-d" option. But in 
fact, we *do* provide a "-d" option, and debugging is its only purpose.

> > > <snip>
> > As already mentioned, ppolicy doesn't restrict the rootDN. If you want
> > your policy constraints to work, you have to bind with some other DN
> > to make the changes. That will of course mean that you have to give
> > that DN write access to the selected attributes in your ACL.
>
> Ok - I'll create an LDAP user specifically for changing passwords, and
> set that as my "ldap admin dn" in the smb.conf, so the change won't be
> done by the rootdn, as recommended by Adam and yourself.  I'll then
> create an entry in the slapd.conf like the one below and give that a shot.
>
> > > # ACL's
> > > access to
> > > attrs=userPassword,sambaNTPassword,sambaLMPassword,shadowLastChange,shadowMax,sambaPwdLastSet,sambaPwdMustChange
> > >
> > >      by   self    write
> > >      by   *       auth
>      access to
> attrs=userPassword,sambaNTPassword,sambaLMPassword,shadowLastChange,shadowMax,sambaPwdLastSet,sambaPwdMustChange,pwdChangedTime,pwdHistory
>            by dn="cn=pwchanger,dc=example,dc=com" write

You need to re-read the ACL docs.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/