[Samba] winbind and AD password updates

Mon May 15 09:33:01 GMT 2006

Hi,

On Mon, May 15, 2006 at 10:46:47AM +0200, Pierre Ossman wrote:
> Hi!
> 
> I've been trying to get password changes to work from a SuSE machine to 
> an AD server. Authentication works fine in AD mode, so at least that bit 
> is correct.
> 
> When trying to change the password, I get PAM error 4 back. Checking in 
> the logs, I see that winbind fails with the error 
> NT_STATUS_PASSWORD_RESTRICTION.
> 
> From Microsoft's documentation, I can read that this means that there 
> is some password policy that's rejecting the new password. But I cannot 
> find any such policy on the server, so I'm wondering if this can be 
> caused by something else?

No, there will be a default policy in place.

If you'd try a recent samba release for one of the SUSE products, the user
attemptimg to change a password would get delivered with the same amount
of information (explaining why the password change has failed) as you
would get on Windows XP.

Look for the 3.0.22 or 3.0.23pre1 download links on:
http://en.opensuse.org/Samba

> I'm also a bit confused as to how I can get NT error codes in AD mode. 
> Isn't it supposed to talk kerberos?

No, as Windows workstations change a user password using MSRPC protocolls
as well.

Guenther

-- 
Günther Deschner                    GPG-ID: 8EE11688
Novell / SUSE Labs                        gd at suse.de
Samba Team                              gd at samba.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba/attachments/20060515/7b04930b/attachment.bin