[Samba] Samba 3.0.24 handling LDAP responses incorrectly

Ryan Steele rsteele at archer-group.com
Fri Apr 4 20:41:18 GMT 2008


Hey list,

Recently I've gotten my Samba PDC to successfully use an OpenLDAP
backend, while using the smbk5pwd and ppolicy overlays for OpenLDAP. 
However, Samba appears to incorrectly handle responses from LDAP's
ppolicy overlay, even though it very clearly receives them.  If I enter
in a password (be it through Ctrl+Alt+Delete or when a password expires
and the user is prompted at logon) that violates the ppolicy
constraints, I get one of two scenarios.

1. If logging is turned off in OpenLDAP (loglevel 0 in slapd.conf),
Windows reports the password change was successful ("Your password has
been changed" dialog box), when in fact none of the attributes have
changed (including but not limited to sambaNTPassword, sambaLMPassword.

2. If logging is turned on (anything other than 0 in the slapd.conf),
Windows reports that "The system cannot change your password now because
the domain DOMAINNAME is unavailable."  While this is certainly not the
case, at least in this situation the user is informed that the password
change did not work.

I can see that LDAP does indeed pass back a response to Samba; from the
LDAP logs:

Apr  4 10:47:37 servername slapd[12709]: do_extended
Apr  4 10:47:37 servername slapd[12709]: >>> dnPrettyNormal:
<uid=tester,ou=Users,dc=example,dc=com>
Apr  4 10:47:37 servername slapd[12709]: <<< dnPrettyNormal:
<uid=tester,ou=Users,dc=example,dc=com>,
<uid=tester,ou=users,dc=example,dc=com>
Apr  4 10:47:37 servername slapd[12709]:
bdb_dn2entry("uid=tester,ou=users,dc=example,dc=com")
Apr  4 10:47:37 servername slapd[12709]:
bdb_dn2entry("uid=tester,ou=users,dc=example,dc=com")
Apr  4 10:47:37 servername slapd[12709]: bdb_entry_get: rc=0
Apr  4 10:47:37 servername slapd[12709]:
bdb_dn2entry("uid=tester,ou=users,dc=example,dc=com")
Apr  4 10:47:37 servername slapd[12709]: bdb_entry_get: rc=0
Apr  4 10:47:37 servername slapd[12709]: bdb_dn2entry("cn=password
policy,ou=policies,dc=example,dc=com")
Apr  4 10:47:37 servername slapd[12709]: bdb_entry_get: rc=0
Apr  4 10:47:37 servername slapd[12709]: check_password_quality: module
error: (check_password.so) Password for
dn="uid=tester,ou=Users,dc=example,dc=com" does not pass required number
of strength checks (1 of 3).[1]
Apr  4 10:47:37 servername slapd[12709]: send_ldap_result: conn=76 op=24 p=3
Apr  4 10:47:37 servername slapd[12709]: send_ldap_extended: err=19 oid=
len=0
Apr  4 10:47:37 servername slapd[12709]: send_ldap_response: msgid=25
tag=120 err=19
Apr  4 10:47:42 servername slapd[12709]: connection_get(19): got connid=77
Apr  4 10:47:42 servername slapd[12709]: connection_read(19): checking
for input on id=77
Apr  4 10:47:42 servername slapd[12709]: ber_get_next on fd 19 failed
errno=0 (Success)
Apr  4 10:47:42 servername slapd[12709]: connection_closing: readying
conn=77 sd=19 for close
Apr  4 10:47:42 servername slapd[12709]: connection_close: conn=77 sd=-1
Apr  4 10:47:42 servername slapd[12709]: connection_get(13): got connid=76
Apr  4 10:47:42 servername slapd[12709]: connection_read(13): checking
for input on id=76
Apr  4 10:47:42 servername slapd[12709]: ber_get_next on fd 13 failed
errno=0 (Success)
Apr  4 10:47:42 servername slapd[12709]: connection_closing: readying
conn=76 sd=13 for close
Apr  4 10:47:42 servername slapd[12709]: connection_close: conn=76 sd=-1

...and, Samba does receive this error message intact.  From the Samba logs:

[2008/04/04 12:11:54, 4] passdb/pdb_ldap.c:ldapsam_update_sam_account(1777)
  ldapsam_update_sam_account: user tester to be modified has dn:
uid=tester,ou=Users,dc=example,dc=com
[2008/04/04 12:11:54, 2] passdb/pdb_ldap.c:init_ldap_from_sam(965)
  init_ldap_from_sam: Setting entry for user: tester
[2008/04/04 12:11:54, 10] lib/smbldap.c:smbldap_make_mod(520)
  smbldap_make_mod: deleting attribute |sambaPwdCanChange| values
|1207320457|
[2008/04/04 12:11:54, 10] lib/smbldap.c:smbldap_make_mod(529)
  smbldap_make_mod: adding attribute |sambaPwdCanChange| value |1207325514|
[2008/04/04 12:11:54, 10] lib/smbldap.c:smbldap_make_mod(504)
  smbldap_make_mod: attribute |sambaPwdMustChange| not changed.
[2008/04/04 12:11:54, 5] lib/smbldap.c:smbldap_modify(1363)
  smbldap_modify: dn => [uid=tester,ou=Users,dc=example,dc=com]
[2008/04/04 12:11:54, 10] lib/smbldap.c:smbldap_extended_operation(1472)
  Extended operation failed with error: Constraint violation (Password
fails quality checking policy)
[2008/04/04 12:11:54, 0] passdb/pdb_ldap.c:ldapsam_modify_entry(1644)
  ldapsam_modify_entry: LDAP Password could not be changed for user
tester: Constraint violation
        Password fails quality checking policy
[2008/04/04 12:11:54, 3] smbd/sec_ctx.c:pop_sec_ctx(339)
  pop_sec_ctx (1043, 513) - sec_ctx_stack_ndx = 1
[2008/04/04 12:11:54, 5]
rpc_parse/parse_samr.c:init_samr_r_chgpasswd_user(7534)
  init_samr_r_chgpasswd_user
[2008/04/04 12:11:54, 5] rpc_server/srv_samr_nt.c:_samr_chgpasswd_user(1480)
  _samr_chgpasswd_user: 1480
[2008/04/04 12:11:54, 5] rpc_parse/parse_prs.c:prs_debug(84)
  000000 samr_io_r_chgpasswd_user
[2008/04/04 12:11:54, 5] rpc_parse/parse_prs.c:prs_ntstatus(763)
      0000 status: NT_STATUS_UNSUCCESSFUL

Yet, the error message is: "The system cannot change your password now
because the domain DOMAINNAME is unavailable."   I wonder why Samba
doesn't pass back the error verbatim to the client?  Is this a bug, and
is it patchable?

Respectfully,
Ryan


More information about the samba mailing list