[Samba] strange behaviour of "check password script"

[Jeroen Vriesman]

Hi list,

samba version: 3.0.23d-4 on debian etch.

To enforce complex passwords I've added the line:

check password script = /usr/local/scripts/checkpw

Where checkpw is a script returning 0 if ok, and returning an error if not
ok.

The restrictions the script checks are:

at least one uppercase, at least one lowercase, at least one number, at
least one non-alphanum character and at least 8 characters long.

The script is tested on the commandline and works fine.

Now, when a user tries to change the password, types a password which is not
ok, windows xp says that "3 out four of the following... upper, lower,
number, non-alpha", this is a standard windows message, so it seems ok.

But now for the strange thing, the password requirements turn out to be "3
out of 4" in stead of "4 out of 4", so windows xp seems to apply it's own
password restrictions in stead of the restrictions of the script.

And that works, so a user can choose a password eg "1234azAZ" without any
%^* or so, while the checkpw script doesn't allow that.

And, even stranger, when I use the "smbpasswd -r our_samba_server -U
myusername" to change my password (from the commandprompt of my linux pc) I
can use any password I want.

These are relevant smb.conf parameters:

passdb backend = ldapsam:"ldap://our_ldap_server:389"
enable privileges = Yes
check password script = /usr/local/scripts/checkpw
unix password sync = Yes
passwd program = /usr/sbin/smbldap-passwd -u %u
passwd chat = "Changing password for*\nNew password*" %n\n "*Retype new
password*" %n\n"

Any ideas?

regards,
Jeroen.