[Samba] Password policies in the LDAP server

Prev: [Samba] (no subject)
Next: [Samba] Long delays when launching programs for the first time in my Windows 7 Profile (Samba 3.4.3 as PDC)

From: Juan Asensio Sánchez on 28 Jun 2010 06:50

---

Hi

We have some Samba servers using LDAP (389 DS) as backend. In the LDAP
server, we have defined some policies to make the passwords stronger. When a
user tries to change his password (Control-Alt-Del), this message appears in
the LOGs:

==> /var/log/samba/xptest <==
[2010/06/28 12:26:26, 2] auth/auth.c:check_ntlm_password(309)
check_ntlm_password: authentication for user [10000001S] -> [10000001S]
-> [10000001S] succeeded
[2010/06/28 12:26:26, 2] passdb/pdb_ldap.c:init_sam_from_ldap(545)
init_sam_from_ldap: Entry found for user: 10000001S
[2010/06/28 12:26:26, 2] passdb/pdb_ldap.c:init_group_from_ldap(2167)
init_group_from_ldap: Entry found for group: 10001
[2010/06/28 12:26:37, 2] passdb/pdb_ldap.c:init_group_from_ldap(2167)
init_group_from_ldap: Entry found for group: 10001
[2010/06/28 12:26:38, 2] passdb/pdb_ldap.c:init_ldap_from_sam(972)
init_ldap_from_sam: Setting entry for user: 10000001S
[2010/06/28 12:26:38, 0] passdb/pdb_ldap.c:ldapsam_modify_entry(1651)
ldapsam_modify_entry: LDAP Password could not be changed for user
10000001S: Constraint violation
Failed to update password


==> /var/log/dirsrv/slapd-pruebas/audit <==
time: 20100628122637
dn: uid=10000001s,XXXXXXXXXXXXX
changetype: modify
delete: sambaLMPassword
sambaLMPassword: 0182BD0BD4444BF836077A718CCDF409
-
add: sambaLMPassword
sambaLMPassword: 39EAD569B79C7EA2C2265B23734E0DAC
-
delete: sambaNTPassword
sambaNTPassword: 259745CB123A52AA2E693AAACCA2DB52
-
add: sambaNTPassword
sambaNTPassword: 8EC60ADEA316D957D1CF532C5841758D
-
delete: sambaPwdLastSet
sambaPwdLastSet: 1277720109
-
add: sambaPwdLastSet
sambaPwdLastSet: 1277720798
-
replace: modifiersname
modifiersname: uid=adminsamba,XXXXXXXXXXX
-
replace: modifytimestamp
modifytimestamp: 20100628102637Z
-

So, the Samba passwords are changed, but the unix password is not changed
because the LDAP rejects it because it is not as string as required. Is
there any way to avoid this? Shouldn't the unix password be changed before
the samba passwords to check if the LDAP server accepts it?

Regards.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

 | 
Pages: 1
Prev: [Samba] (no subject)
Next: [Samba] Long delays when launching programs for the first time in my Windows 7 Profile (Samba 3.4.3 as PDC)