> Message: 9
> Date: Sat, 3 Aug 2002 04:11:30 -0700 (PDT)
> From: "Hesham S. Ahmed" <zlinux2002@yahoo.com>
> To: Samba <samba@lists.samba.org>
> Subject: [Samba] Password Expiration when using LDAP
>
> Hi,
>
> We are planning to move all of our win2k server
> (currenty around 50!) alongwith AD to Linux, we are
> planning to use LDAP based samba domain controllers
> for authentication and file/print serving. We are
> doing a pilot and things are fine till now, just one
> simple problem, what should we do with our password
> policy, we have three restrictions relating passwords
>
> minimum password length
Not only length, but if you use something like this in your
/etc/pam.d/samba:
password required /lib/security/pam_cracklib.so retry=3 minlen=x
dcredit=y ucredit=z
You can get more than what you want (including dictionary checking).
This is of course only if you have pam password change = yes in your
smb.conf (which you will probably want if you want to keep your unix and
samba passwords in your LDAP database in sync, and thus have a pam_ldap
entry in for password in your /etc/pam.d/samba or included via pam_stack).
> password expiration
You can expire them, but they don't seem to unexpire. You can just set
pwdMustChange 0.
> password history (so users cant reuse old password for
> some time)
I don't think this is currently possible.>
> AFAIK samba 2.2.5 PDC doesn't support any of these. I
> was thinking if there is any way to implement these
> restrictions at LDAP level, I mean adding a few
> attributes stroring password change dates and checking
> for expiration interval by using maybe a cron job that
> checks the no. of days elapsed.... or should I rather
> wait?
Password history should probably be handled by pam_ldap, but that would
only wok if you're syncing unix and samba passwords in LDAP.
It seems password expiry is broken in samba though ...
I am not sure exactly how the password expiry works, but I think it
should be something like this (using bash for clarity):
pwdMustChange=$(ldapsearch -x "(uid=%u)" pwdMustChange -LL |awk
'/pwdMustChange/ {print $2}')
pwdLastSet=$(ldapsearch -x "(uid=%u)" pwdLastSet -LL |awk
'/pwdLastSet/
{print $2}')
let pwdAge=`date +%s`-$pwdLastSet
if [ $pwdAge -ge $pwdMustChange ]; then
expire_password;
fi
That way you only ever have to write password ages when you change a
password (and you're writing anyway for the password), and there's no
need for cron jobs to update password change times etc.
But this doesn't quite seem to work. It seems that if pwdMustChange is
2147483647, then the password isn't expired, if it it anything else, it
is expired.
It would be nice to at least get this functionality working for 2.2.6
.... to the point where you only get a "You password expires today" if
$pwdAge-pwdMustChage<=1 day
>
> Does HEAD supports these features, my company wouldn't
> mind using HEAD in production!!! as most of our
> business is dependent on Lotus Domino which is in no
> way dependent on NT PDC functionality.
Not sure.
--
|----------------Registered Linux User #182071-----------------|
Buchan Milne Mechanical Engineer, Network Manager
Cellphone * Work +27 82 472 2231 * +27 21 8828820x121
Stellenbosch Automotive Engineering http://www.cae.co.za
GPG Key http://ranger.dnsalias.com/bgmilne.asc
1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7