Password Policy setup

[canna3is]

Hi all
Is there anybody who dealt with ppolicy overlay in zentyal 2.2 or 3.0 with success?
I have only Linux clients and password expire warning and password complexity would be a good benefit regarding to an IT audit.
Some weekend passed by working on this without any success.
Any advice or experience would be appreciated.
Thanks

[christian]

I never saw such overlay installed with Zentyal LDAP server (at least till 2.2)
I also fully share that this is a must when it comes to manage accounts 

There is a lot of HowTo explaining how to install and configure it but what you have to take in account is that Zentyal is based on template thus you have to work at *.mas files level if you don't want your config to be erased at next Zentyal restart.

[FarquahrWindsor]

Samba4 would allow you to set those. Haven't tried but that and winbind would prob work.

[christian]

Sure but for what I understand, this would be "Microsoft centric" view 

I'm still waiting for Zentyal team to publish how SambaLDAP vs. std LDAP synchro works but if there is no ppolicy overlay in std LDAP and if, as described here, you have only Unix accounts not accessing Samba or whatever Windows like domain, then Samba is pretty useless at least for this purpose.

What would you suggest to user installing mail, proxy and "users & groups" but not installing "file sharing" 

Your point is however valid and very interesting as it raises again question about Zentyal positioning and strategy.

[canna3is]

Samba4 would allow you to set those. Haven't tried but that and winbind would prob work.

First of all Thanks for your reply.
Yes it is a Microsoft centric view and we have Ubuntu clients only. Samba4 would be a good PDC with full AD support for Windows clients as I guess.
Anyway, in our working environment the linux clients use the zentyal ldap for authenticating almost everything having an ldap connector.
SSO would be great If there was a desktop version for 12.04.
The last issue is the password policy. I am searching for any working solution through usercorner and client login on ubuntu client.
The usercorner stuff is the simpler because with some script in the pm file I can force user to add password more than 8 char or at least 1 digit. Password expire warning can only work with ldap support. So that is where I am stuck with this....

[christian]

I would suggest to implement full ppolicy overlay as it will allow you to not only enforce password policy in term of password strength but also password ageing plus some other funny stuff around password.
Being able to also block an account without removing the entry is, from my standpoint mandatory too.

[FarquahrWindsor]

I had a search for gdm and password expiry seems there is a bit of a gotcha where if your password has expired you can get in a catch-22 of not being able to login to change it. Was a bit barren after that.

http://www.h-online.com/open/news/item/First-release-candidate-for-Samba-4-is-available-1708247.html

It makes sense now, on the samba howto it mentions there are some probs with drs replication so basically if you rsync your sysvol out to your members then. I never really understood the implications.

There is a lot mentioned about Microsoft centric methodologies but due to mainly being stuck with windows and a few linux and mac clients then samba for me is a singular sso and authentication system that offers the most interoperability.

As well as password expiry and  and I didn't realise this and I am just asking again. The slave sync only works with a single slave?

The options for replication in the samba module are there I dunno if the devs rsync sysvol.

[canna3is]

I tried with 3.0 but caused usercorner mailfunction for password change. Got some Insufficient blabla error.
Maybe kerberos issue. Passwd command can change password in terminal and I can see it uses kerberos.
An other interesting thing is when I modify PDC password policy in zentyal menu that works for only samba shares. So I can login with shorter password but If it is shorter than I selected in the menu the samba shares become unavailable. Weird but understandable.
In 2.2 there ain't kerberos so I will try to test ppolicy in a 2.2 zentyal test environment.
In the meantime... I accept and support every viable initiative. :-) I have to solve this ticket.

[christian]

There is something to be taken in mind (and for which I can't help in term of understanding due to lack of documentation and no availability for any reverse engineering).
Zentyal come with 2 LDAP servers:
- one (let's call it "std LDAP" server) for all services but Samba
- one ("SambaLDAP") dedicated to Samba.

Zentyal implementation brings, if I'm not wrong, synchronization process between these 2 LDAP servers.
- what does it cover ? I don't know
- what is excluded ? I don't know neither
- does it mean ppolicy overlay should be deployed on the 2 servers then synchronized ? How does it interact with Microsoft in case Samba as DC, is part of an existing Microsoft domain ?

All this stuff if, for the time being, fuzzy to me but I can easily imagine that it has to be taken in account in what you intend to achieve.

[jsalamero]

This cannot be done with the Zentyal webinterface at the moment but you can still the samba-tool command:

Code: [Select]

root@zentyal3:~# samba-tool domain passwordsettings show
Password informations for domain 'DC=zentyal-domain,DC=lan'

Password complexity: off
Store plaintext passwords: off
Password history length: 24
Minimum password length: 0
Minimum password age (days): 0
Maximum password age (days): 365


[christian]

sure but in such case, what would be the impact for LDAP authentication and what if file sharing is not installed ?
Am I wrong understanding that what you describe is for samba only ?

[FarquahrWindsor]

I think because of the two ldaps synchronisation using samba tools which is part of the file sharing package changing these elements will reflect in the synchronized ldap.
 

[christian]

this would conflict with ppolicy overlay if any isn't it? 
or this would mean that without Samba, no password policy.. 
well, as a matter of conclusion, no way to escape from Microsoft world if what you explain is true... 

[FarquahrWindsor]

I am with you but to be honest the whole debate on M$ concentric seems slightly in the realm of purist ideals rather than working solutions.

I have several sites and from the point SSO Auth and interoperability in a single source then Samba4 will provide this and just because it emulates M$ AD it still has linux on that box and is it splitting hairs?

I say this because without Samba4 and looking at devices in a purist manner the interoperability is seriously limiting and Ok for those who can push a linux only solution.

I didn't realise Zentyal shipped with a ppolicy at the moment?

I don't mean this in any way that this is bad but a certain level of compromise is going to be required so that both camps can have working solutions.


The problem is that if you are going to push that purist policy and have ppolicy you are going to limit interoperability.

[christian]

I agree that debating further on the "Microsoft or not" is usless, then let's stop this here.
This said, either your wording or your technical understanding is maybe not wrong but biased: SSO is not here because of Samba but because of Kerberos. One could perfectly have Kerberos and therefore SSO without any CIFS ro AD like service 

Regarding ppolicy overlay: like for account management, this is a matter of ownership.
One could have ppolicy available for LDAP and decide, just as an example:
- when samba is not deployed, ppolicy can be configured locally (meaning in LDAP)
- when samba is deployed, it takes the ownership and local ppolicy update is not possible because Samba owns everything.

BTW, this open the door for a lot of other questions (I know this quite well because I had to design and implement LDAP - AD - mail account and password synchro long time ago in another life)