[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Password expiration question (ppolicy and smbk5wpd interaction)



Pat Riehecky skrev, on 07-01-2008 21:16:

Like many before me I would love to get the smbk5pwd module up and
running, but I have a question.

In OpenLDAP 2.4.7:
If I set a password expiration time up (with ppolicy), and the user's
password expires, does it lock the Heimdal, Samba, and ldap passwords?

On the flip side, if I set a password expiration time up (with
smbk5pwd), and the user's password expires, does it lock the Heimdal,
Samba, and ldap passwords?

Or perhaps more to the point, what can I do to keep all three of these
passwords either all valid or all expired at the same time?

The documentation is a bit vague on this one point, and the archives
left me still in confusion.....

My site's been running an enforced user password-change policy since mid December last. We have both Linux and Samba clients.


OL ppolicy as such will only work for Linux clients using pam_ldap, though password changes using smbk5pwd do change the sambaLMPassword and sambaNTPassword attributes in sync (that's what the smbk5pwd overlay is for). Samba 3.x itself has no support for OL ppolicy and Samba equivalents have to be configured parallel to it, using the Samba pdbedit utility. Only Samba reads the Samba-specific LDAP attributes.

Linux password criteria should be enforced using pam's pam_cracklib component (this is particularly important if the site's using chaining of referrals). NT password strength can be ensured compiling and using using the crackcheck program included with the source.

Updating KerberosV tickets is a completely different kettle of fish and has nothing to do with ppolicy.

--Tonni

--
Tony Earnshaw
Email: tonni at hetnet dot nl