[Samba] Samba PDC, OpenLDAP, and passwd chat

Ryan Steele rsteele at archer-group.com
Tue Apr 1 19:08:06 GMT 2008


Hey Denis,

Denis Cardon wrote:
> Hi Ryan,
>
>> I'm using Samba 3.0.24 and OpenLDAP 2.3.30 (with the ppolicy and
>> smbk5pwd overlays).
>>
>> While testing Samba as a PDC with an OpenLDAP backend, I've hit a snag
>> on password change.  I currently have the following in my smb.conf
>> related to password changes:
>>
>>         passwd program = /usr/bin/ldappasswd -x -W -S -D
>> uid=%u,ou=Users,dc=example,dc=com
>>         passwd chat = "*Enter NEW password*" %n\n "*Confirm NEW
>> password*" %n\n "*Verify OLD password*" %o\n "*Password changed*" \n
>>         passdb backend = ldapsam:ldap://127.0.0.1
>
> Correct me if I'm wrong, but I thought that the password chat was
> refering to some kind of Expect script to interact with the script
> refered by the "password program" parameters (/usr/bin/ldappasswd in
> your case). There is some more info on this in the smb.conf man page.
>

Yeah, you're right.  And, in reading the man page, I found this: "Note
that this parameter only is only used if the unix password sync
parameter is set to yes".  I, however, have "ldap passwd sync = yes",
not "unix passwd sync = yes".  So I guess 'passwd chat' isn't ever going
to be used in my case? 

I can live with the default dialog, but I absolutely need to fix #2
below - the ppolicy restrictions on password length, strength, etc. need
to be adhered to.  The fact that I get:

"Your password must be at least 5 characters, cannot
repeat any of your previous 0 passwords and must be at least 0 days
old.  Please type a different password.  Type a password that meets
these requirements in both text boxes."

...instead of the requirements set forth in OpenLDAP (minimum 6 chars,
can't use previous 6 passwords, etc) as demonstrated below is an issue. 
Where is it pulling these requirements from, and how can I get it to
relay messages from OpenLDAP (e.g., the 'password fails quality
checking' message) back to the user?
>
>> I can change passwords, but there are a couple of things I've noticed
>> that don't work properly.
>>
>> 1. My 'passwd chat' text isn't reflected on the Windows clients on the
>> domain.  Instead, I get (when changing via ctrl+alt+delete or during
>> domain logon if the password has expired):
>>
>>        User name:
>>        Log on to:
>>        Old password:
>>        New password:
>>        Confirm new password:
>>
>> 2. The password requirements set forth by ppolicy (such as length,
>> strength, and recently used passwords) don't seem to be adhered to.  I
>> can put in 'foobar' as the new password, change it to 'foobar1', change
>> it back to 'foobar', and Samba will happily change the passwords.  While
>> the change does take, and I can log in to the domain with 'foobar' or
>> 'foobar1' as the password, it's certainly not what I want.  Conversely,
>> I get this desired results when invoking 'ldappasswd' from the
>> command-line:
>>
>>         # Testing the weak password 'foobar'
>>         server:~# /usr/bin/ldappasswd -x -W -S -D
>> uid=tester,ou=Users,dc=example,dc=com
>>         New password:
>>         Re-enter new password:
>>         Enter LDAP Password:
>>         Result: Constraint violation (19)
>>         Additional info: Password fails quality checking policy
>>
>>         # Testing a password in the list of the last six passwords
>>         server:~# /usr/bin/ldappasswd -x -W -S -D
>> uid=tester,ou=Users,dc=example,dc=com
>>         New password:
>>         Re-enter new password:
>>         Enter LDAP Password:
>>         Result: Constraint violation (19)
>>         Additional info: Password is in history of old passwords
>>
>> If I try putting in something like 'a' as the password, I get a dialog
>> box that says:  "Your password must be at least 5 characters, cannot
>> repeat any of your previous 0 passwords and must be at least 0 days
>> old.  Please type a different password.  Type a password that meets
>> these requirements in both text boxes."  Where is this text/requirement
>> list coming from?  And, how can I configure Samba such that it returns
>> the desired errors (above) to the user?
>>
>> In the same vein, instead of having the sambaPasswordHistory attribute
>> in LDAP reflect the old hashed passwords, I just get one entry which
>> reads:
>>
>>        sambaPasswordHistory:
>> 0000000000000000000000000000000000000000000000000000000000000000
>>
>> I would very much appreciate any advice you folks might be able to
>> offer.
>>
>> Thanks,
>> Ryan
>
>


More information about the samba mailing list