Bonjour,
J’ai mis en place sur mon LDAP une politique de mot de passe. Celle-ci devrait également être vue par samba, or il n’en est rien… Impossible de prendre en compte la politique lorsque j’essaie de changer un mot de passe grâce à la commande “smbpasswd”. J’ai l’impression que la seule politique prise en compte par samba est celle de pdbedit.
Je vous demande de l’aide pour ceux qui ont déjà, par le passé, mis en place ce genre de solution.
Voici mon smb.conf :
[global]
workgroup = TEST
server string = Controleur de domaine
netbios name = Alderaan
unix password sync = no
pam password change = yes
domain master = yes
local master = yes
domain logons = yes
client lanman auth = no
client ntlmv2 auth = Yes
lanman auth = yes
ntlm auth = yes
security = user
os level = 40
ldap ssl = off
ldap passwd sync = no
passdb backend = ldapsam:ldap://192.168.3.111/
ldap admin dn = cn=samba,dc=ma,dc=base
ldap suffix = dc=ma,dc=base
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Machines
add user script = /usr/sbin/smbldap-useradd -m "%u"
ldap delete dn = yes
encrypt passwords = yes
delete user script = /usr/sbin/smbldap-userdel "%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
logon path = \\%L\profiles\%U
logon drive = P:
logon home = \\%L\%U
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
case sensitive = No
default case = lower
preserve case = yes
short preserve case = Yes
#character set = iso8859-1
#domain admin group = @admin
dns proxy = No
wins support = Yes
winbind use default domain = Yes
nt acl support = Yes
msdfs root = Yes
hide files = /desktop.ini/ntuser.ini/NTUSER.*/
passwd program = /usr/sbin/smbldap-passwd "%u"
passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated*
unix charset = iso-8859-15
display charset = iso-8859-15
dos charset = 850
obey pam restrictions = yes
[code]include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/samba.schema
include /etc/ldap/schema/ppolicy.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel 256
modulepath /usr/lib/ldap
moduleload back_bdb
moduleload ppolicy.la
moduleload smbk5pwd.la
sizelimit 500
tool-threads 1
backend bdb
database bdb
overlay smbk5pwd
smbk5pwd-enable samba
overlay ppolicy
ppolicy_default "cn=default,ou=policies,dc=ma,dc=base"
ppolicy_hash_cleartext
ppolicy_use_lockout
suffix “dc=ma,dc=base”
rootdn "cn=samba,dc=ma,dc=base"
rootpw monmdp
directory “/var/lib/ldap”
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
index objectClass eq
lastmod on
checkpoint 512 30
access to attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword,sambaPwdMustChange,sambaPwdLastSet
by dn=“cn=samba,dc=ma,dc=base” write
by anonymous auth
by self write
by * none
access to dn.base="" by * read
by dn=“cn=samba,dc=ma,dc=base” write
by * read
[/code]
Mon ppolicy.ldif :
[code]dn: ou=policies,dc=ma,dc=base
ou: policies
objectClass: top
objectClass: organizationalUnit
default, policies, example.com
dn: cn=default,ou=policies,dc=ma,dc=base
objectClass: pwdPolicyChecker
objectClass: top
objectClass: person
objectClass: pwdPolicy
cn: default
pwdAttribute: userPassword
pwdMaxAge: 14688
pwdExpireWarning: 5000
pwdInHistory: 3
pwdCheckQuality: 2
pwdMinLength: 8
pwdMaxFailure: 5
pwdLockout: TRUE
pwdLockoutDuration: 900
pwdGraceAuthNLimit: 0
pwdFailureCountInterval: 60
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdSafeModify: FALSE
pwdCheckModule: check_password.so
sn: dummy value
[/code]
Merci de vos réponses, flake