Domain – OpenLDAP, Samba and password aging

authenticationdomainldappamsamba

I'm configuring a system in which all IT resources are available through a single user-password pair, be it access to shell on the servers, logging to Samba domain, WiFi, OpenVPN, Mantis, etc. (with access to specific services governed by group membership or user object fields). Because we have personal data in our network, we need to implement password aging, as per the EU Data Protection Directive (or rather the Polish version of it).

The problem is that Samba and POSIX accounts in LDAP use different password hashing and aging information. While synchronizing the passwords themselves is easy (the ldap password sync = Yes in smb.conf), adding password aging to the mix breaks things: Samba doesn't update shadowLastChange. Together with obey pam restrictions = Yes creates a system in which a windows user can't change aged password, but if I don't use it, home directories won't be automatically created. The alternative is to use use LDAP extended operation for password changing, but the smbk5pwd module doesn't set it either. What's worse, the OpenLDAP maintainer won't update it/accept patches as this field is considered deprecated.

So, my question is, what is the best solution? What are the up- and downsides of them?

Use LDAP ppolicy and internal LDAP password aging?
1. How well does it work with NSS, PAM modules, samba, other systems?
2. Do the NSS and PAM modules need to be configured in special way to use ppolicy, not shadow?
3. Does GOsa² work with ppolicy?
4. Are there other administrative tools that can work with ppolicy-enabled LDAP?
Hack together a change password script that updates the field in LDAP. (leaving the possibility that the user himself will update the field without changing password)

Best Answer

I wrote my own OpenLDAP overlay called shadowlastchange to update the shadowLastChange attribute whenever an EXOP password change occurs. It is activated in slapd.conf:

moduleload smbk5pwd
moduleload shadowlastchange
...

database bdb
...
overlay smbk5pwd
overlay shadowlastchange

I have configured smb.conf to change passwords via EXOP:

ldap passwd sync = Only

Then, for each account, set shadowMax to the number of days a password is valid. The OpenLDAP modules take care of the rest!

Related Solutions

Linux – Provide Samba access based on LDAP info

I believe it will be necessary to at least have a domain admin on the LDAP server come over to type their password at least one time to accomplish what you want and join Samba to the domain.

Given that, the steps should be relatively simple. Taken from the Samba Wiki, set the following in your samba config:

* passdb backend = ldapsam:ldap://<your-hostname>
* ldap suffix = 
* ldap admin dn

Then run smbpasswd -w to let samba know the password for the admin dn.

There is also a nice writeup here.

Samba Permissions – I’m going to throw it!

This might help. I do something similar, but only one share is open to the group's users. Other shares are read-only except for a single maintainer user. The [global] section of my smb.conf is almost identical to yours, except I don't use the force create/directory mode directives (in my case, they'd interfere with the other shares).

Here's the share definition:

[shared stuff]
        comment = blah, blah, etc
        path = /path/to/share
        write list = @sambagroup
        force group = +sambagroup
        read only = yes
        directory mask = 0775
        create mask = 0664
        guest ok = yes
        invalid users = root
        case sensitive = True
        default case = lower
        preserve case = yes
        short preserve case = yes

The important stuff here are these:

read only = yes -- by default, read only.
guest ok = yes -- guests can browse.
write list = @sambagroup -- Authenticated members of sambagroup can write.
force group = +sambagroup -- The + means that the force only applies to existing members of sambagroup. They're already the only ones who can write. I think, without the +, guest is given sambagroup credentials, which is not wanted (particularly with the write list directive above).
directory mask = 0775
create mask = 0664

These do exactly what you want yours to do: "drwxrwxr-x" on directories, "rwxrwxr-x" on files, and newly created files are owned by the user and sambagroup. The maintainers of the other shares get the same permissions as everyone else when working in shared stuff, and permissions & groups are normal when they work in the other shares.

My smb.conf has been working with only minor tweaks through several different versions of Samba, and currently is used with Samba 3.2.5. I never had it running on Ubuntu 8.04, but it ran on Ubuntu 7.04 for a long time before getting migrated to a recent Debian Lenny install.

Best Answer

Related Solutions

Linux – Provide Samba access based on LDAP info

Samba Permissions – I’m going to throw it!

Related Topic