Univention Bugzilla – Bug 44470
synchronize the PAM/s3/s4 password policies
Last modified: 2021-11-18 16:19:07 CET
+++ This bug was initially created as a clone of Bug #44090 +++ When s4 is installed, the change password module does not honor the default password policy (cn=default-settings,cn=pwhistory,cn=users,cn=policies,$ldap_base). >> The change password module does not honor the default password policy: > If you use Samba 4, you have to set the Samba password settings. >> Where can this be done? Are there also UCR variables etc. for this in UCS? >'samba-tool domain passwordsettings' or 'udm settings/sambaconfig' The UCS PAM- and Samba-Integration should synchronize the PAM/s3/s4 password policies.
*** Bug 44090 has been marked as a duplicate of this bug. ***
Our policy implementation defines the policies per user so you are able to define different settings for every single user. The S4 implementation defines the setting for the domain. So, we have two different concepts which are both already implemented and used. If I remember correctly we wanted to do the following things: 1. Write a SDB article about the situation (Bug #35997) 2. Explain more about the concepts in UMC while modifying password policies or S4 settings.
> > If you use Samba 4, you have to set the Samba password settings. > >> Where can this be done? Are there also UCR variables etc. for this in UCS? > >'samba-tool domain passwordsettings' or 'udm settings/sambaconfig' udm settings/sambaconfig seems deprecated since UCS 2.1 and no new object of it can be added. Instead settings/sambadomain should be used. Therefore the object sambaDomainName=$WINDOWSDOMAIN,cn=samba,$ldap_base can be modified.
This is a bug. And it does impair usability in key scenarios for large environments where password selfservice is a must. To be sure: The Selfservice app does not honor the configured password policy when samba is installed. both modules, 'password change' and 'password reset' end up behaving in different (unexpected, undocumented) ways.
Ok, this feature request is 3 years old now: Bug 35809 It would be nice, if Samba already supported Fine Grained password policies (Bug 45128), then we might be able to use them, but it doesn't. A way I could imagine to improve the situation here, would be what Stefan already mentioned in Bug 44090 Comment 1: Patch the Samba Heimdal to check the UDM policies in a similar way as we have patched stand alone Heimdal (see Bug 22108 Comment 8, but only check the policy instead of setting the password in UDM). I think it would be worthwhile to move in that direction.
Customer was not aware that he needs to configure password policy twice and locked out the users in samba world. Not easy to explain customers this complicated configuration in UCS. So four and a half year old, but still relevant.