[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ppolicy & sambaNTPassword

Hi Christian,

* Christian Manal <moenoel@informatik.uni-bremen.de> [16.02.2010 15:31]:
> Ralf Zimmermann schrieb:
> > Hi all,
> > 
> > I  have  a  problem  with  overlay  ppolicy and  samba.  My  samba  backend  is
> > openldap-2.4.20. I have a default ppolicy and a pwdCheckModule. If I change the
> > userPassword all works fine. I read the  slapo-ppolicy man page and I know that
> > the  only pwdAttribute  is  userPassword.  If I  change  the userPassword  with
> > smbpasswd the policy works also fine. But if I want to change the Password with
> > a Windows  client the problem begins.  The sambaNTPassword is set  everytime to
> > the  new Password  because the  ppolicy overlay  checks only  the userPassword.
> > So  the  both  Passwords  are  different  and  there  is  no  control  for  the
> > sambaNTPassword.
> > 
> > Exists any solution or a workaround for this problem.
> > 
> > Any help is appreciated.
> > 
> > Mit freundlichen Gruessen
> > Ralf Zimmermann
> > 
> 
> Hello Ralf,
> 
> you should take a look at the option 'ldap passwd sync' in the smb.conf
> manpage. I would also recommend to take a look at the smbk5pwd overlay
> if you don't already use that.
> 
> 
> Best regards,
> Christian Manal

the option  'ldap passwd sync'  is set  to yes. I  will looking to  the overlay
smbk5pwd again. But I think it will not resolve the problem because samba makes
a modify for the samba attributes.

We  have a  default  ppolicy.  But this  policy  works  only with  pwdAttribute
userPassword not with  sambaNTPassword. The problem is, that a  User can change
his password with a Windows Client.  The sambaNTPassword is always set whatever
in the policy is configured.

Feb 16 14:16:32 rudi slapd[7683]: conn=1008 op=6 MOD dn="uid=rzimmermann,ou=Users,dc=bad-gmbh,dc=de"
Feb 16 14:16:32 rudi slapd[7683]: conn=1008 op=6 MOD attr=sambaNTPassword sambaNTPassword sambaPwdLastSet sambaPwdLastSet
Feb 16 14:16:32 rudi slapd[7683]: conn=1008 op=6 RESULT tag=103 err=0 text=
Feb 16 14:16:32 rudi slapd[7683]: conn=1009 op=6 EXT oid=1.3.6.1.4.1.4203.1.11.1
Feb 16 14:16:32 rudi slapd[7683]: conn=1009 op=6 PASSMOD id="uid=rzimmermann,ou=Users,dc=bad-gmbh,dc=de" new
Feb 16 14:16:32 rudi slapd[7683]: check_password: Got line |useCracklib 1 |
Feb 16 14:16:32 rudi slapd[7683]: check_password: Validating parameter [useCracklib]
Feb 16 14:16:32 rudi slapd[7683]: check_password: Parameter accepted.
Feb 16 14:16:32 rudi slapd[7683]: check_password: Got line |minPoints 3 |
Feb 16 14:16:32 rudi slapd[7683]: check_password: Validating parameter [minPoints]
Feb 16 14:16:32 rudi slapd[7683]: check_password: Parameter accepted.
Feb 16 14:16:32 rudi slapd[7683]: check_password: Word = minPoints, value = 3
Feb 16 14:16:32 rudi slapd[7683]: check_password: Setting quality to [3 ]
Feb 16 14:16:32 rudi slapd[7683]: check_password: Got line |minUpper 2 |
Feb 16 14:16:32 rudi slapd[7683]: check_password: Validating parameter [minUpper]
Feb 16 14:16:32 rudi slapd[7683]: check_password: Parameter accepted.
Feb 16 14:16:32 rudi slapd[7683]: check_password: Got line |minLower 2 |
Feb 16 14:16:32 rudi slapd[7683]: check_password: Validating parameter [minLower]
Feb 16 14:16:32 rudi slapd[7683]: check_password: Parameter accepted.
Feb 16 14:16:32 rudi slapd[7683]: check_password: Got line |minDigit 2 |
Feb 16 14:16:32 rudi slapd[7683]: check_password: Validating parameter [minDigit]
Feb 16 14:16:32 rudi slapd[7683]: check_password: Parameter accepted.
Feb 16 14:16:32 rudi slapd[7683]: check_password: Got line |minPunct 0 |
Feb 16 14:16:32 rudi slapd[7683]: check_password: Validating parameter [minPunct]
Feb 16 14:16:32 rudi slapd[7683]: check_password: Parameter accepted.
Feb 16 14:16:32 rudi slapd[7683]: check_password: Got line |useCracklib 1 |
Feb 16 14:16:32 rudi slapd[7683]: check_password: Validating parameter [useCracklib]
Feb 16 14:16:32 rudi slapd[7683]: check_password: Parameter accepted.
Feb 16 14:16:32 rudi slapd[7683]: check_password: Word = useCracklib, value = 1
...
Feb 16 14:16:32 rudi slapd[7683]: check_password: Parameter accepted.
Feb 16 14:16:32 rudi slapd[7683]: check_password: Got line |minLower 2 |
Feb 16 14:16:32 rudi slapd[7683]: check_password: Validating parameter [minLower]
Feb 16 14:16:32 rudi slapd[7683]: check_password: Parameter accepted.
Feb 16 14:16:32 rudi slapd[7683]: check_password: Got line |minDigit 2 |
Feb 16 14:16:32 rudi slapd[7683]: check_password: Validating parameter [minDigit]
Feb 16 14:16:32 rudi slapd[7683]: check_password: Parameter accepted.
Feb 16 14:16:32 rudi slapd[7683]: check_password: Got line |minPunct 0 |
Feb 16 14:16:32 rudi slapd[7683]: check_password: Validating parameter [minPunct]
Feb 16 14:16:32 rudi slapd[7683]: check_password: Parameter accepted.
Feb 16 14:16:32 rudi slapd[7683]: check_password: Word = minPunct, value = 0
Feb 16 14:16:32 rudi slapd[7683]: check_password: Setting parameter to [0 ]
Feb 16 14:16:32 rudi slapd[7683]: check_password: Found lower character - quality raise 1
Feb 16 14:16:32 rudi slapd[7683]: check_password: Reallocating szErrStr from 64 to 174
Feb 16 14:16:32 rudi slapd[7683]: check_password_quality: module error: (check_password.so) Password for dn="uid=rzimmermann,ou=Users,dc=bad-gmbh,dc=de" do
es not pass required number of strength checks (1 of 3).[1]
Feb 16 14:16:32 rudi slapd[7683]: conn=1009 op=6 RESULT oid= err=19 text=

Thanks
Ralf Zimmermann

--

 .''`.  Ralf Zimmermann
: :' :  SIEGNETZ.IT GmbH       	     
`. `'   Schneppenkauten 1a      
  `-    57076 Siegen   		
                               
	Tel.: +49 271 68193 13
	Fax.: +49 271 68193 29

	Amtsgericht Siegen HRB4838
	Geschaeftsfuehrer: Oliver Seitz
	Sitz der Gesellschaft ist Siegen

Attachment: signature.asc
Description: Digital signature