Mandi! Andrew Bartlett via samba In chel di` si favelave...> Thanks for asking for clarification, I hope this puts you at ease.Sure! Thanks to you! Only a bit more:> > PS: and domain members? How they enforce passwords policies? Directly > > on AD DC, i suppose... but i'll ask. ;-)> They don't ask the DC for the choice of local user passwords as far as > I'm aware. There is an API to check if a password is OK (SAMR > ValidatePassword), but I've not seen it called for that, but I've also > not really been looking.No, i was not clear. I don't mean ''password quality'', but ''password age''. In NT/LDAP/smbldap-tools mode, i used to populate shadow account LDAP data, ''copying'' expiration date from Samba/Windows ones, so i've addedd NSS 'shadow' ldap context and the POSIX layer are aware of password expiration. I supposed now that password are checked against DC in a ''black/white'' way, eg if i try to authenticate i gat something like: a) good b) bad password c) password expired, please change d) account disabled Right? No one have tried to add 'shadow' context in winbind? I'm simply curious... ;-) Again, thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
On Wed, 25 Oct 2017 16:21:03 +0200 Marco Gaiarin via samba <samba at lists.samba.org> wrote:> Mandi! Andrew Bartlett via samba > In chel di` si favelave... > > > Thanks for asking for clarification, I hope this puts you at ease. > > Sure! Thanks to you! > > > Only a bit more: > > > > PS: and domain members? How they enforce passwords policies? > > > Directly on AD DC, i suppose... but i'll ask. ;-) > > > They don't ask the DC for the choice of local user passwords as far > > as I'm aware. There is an API to check if a password is OK (SAMR > > ValidatePassword), but I've not seen it called for that, but I've > > also not really been looking. > > No, i was not clear. I don't mean ''password quality'', but ''password > age''. > > In NT/LDAP/smbldap-tools mode, i used to populate shadow account LDAP > data, ''copying'' expiration date from Samba/Windows ones, so i've > addedd NSS 'shadow' ldap context and the POSIX layer are aware of > password expiration. > > I supposed now that password are checked against DC in a > ''black/white'' way, eg if i try to authenticate i gat something like: > a) good > b) bad password > c) password expired, please change > d) account disabled > > Right? >Yes> > No one have tried to add 'shadow' context in winbind? I'm simply > curious... ;-) >If you mean adding 'winbind' to the shadow line in /etc/nsswitch.conf, then yes, this has been tried and it didn't work, in fact it broke things ;-) Rowland
Mandi! Rowland Penny via samba In chel di` si favelave...> > No one have tried to add 'shadow' context in winbind? I'm simply > > curious... ;-) > If you mean adding 'winbind' to the shadow line in /etc/nsswitch.conf,Ahem, no: i meant adding to winbind nss library the support for the 'shadow' context, so i suppose this means adding some sort of ''transcoding'' between expiration data in AD and in POSIX worlds.> then yes, this has been tried and it didn't work, in fact it broke > things ;-)I supposed was not supported at all, i've never added 'winbind' in shadow contex. ;-) -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)