[Samba] Samba PDC, OpenLDAP, and passwd chat

Ryan Steele rsteele at archer-group.com
Tue Apr 1 18:12:58 GMT 2008 

Hey List,

I'm using Samba 3.0.24 and OpenLDAP 2.3.30 (with the ppolicy and
smbk5pwd overlays).

While testing Samba as a PDC with an OpenLDAP backend, I've hit a snag
on password change.  I currently have the following in my smb.conf
related to password changes:

        passwd program = /usr/bin/ldappasswd -x -W -S -D
uid=%u,ou=Users,dc=example,dc=com
        passwd chat = "*Enter NEW password*" %n\n "*Confirm NEW
password*" %n\n "*Verify OLD password*" %o\n "*Password changed*" \n
        passdb backend = ldapsam:ldap://127.0.0.1

I can change passwords, but there are a couple of things I've noticed
that don't work properly.

1. My 'passwd chat' text isn't reflected on the Windows clients on the
domain.  Instead, I get (when changing via ctrl+alt+delete or during
domain logon if the password has expired):

       User name:
       Log on to:
       Old password:
       New password:
       Confirm new password:

2. The password requirements set forth by ppolicy (such as length,
strength, and recently used passwords) don't seem to be adhered to.  I
can put in 'foobar' as the new password, change it to 'foobar1', change
it back to 'foobar', and Samba will happily change the passwords.  While
the change does take, and I can log in to the domain with 'foobar' or
'foobar1' as the password, it's certainly not what I want.  Conversely,
I get this desired results when invoking 'ldappasswd' from the command-line:

        # Testing the weak password 'foobar'
        server:~# /usr/bin/ldappasswd -x -W -S -D
uid=tester,ou=Users,dc=example,dc=com
        New password:
        Re-enter new password:
        Enter LDAP Password:
        Result: Constraint violation (19)
        Additional info: Password fails quality checking policy

        # Testing a password in the list of the last six passwords
        server:~# /usr/bin/ldappasswd -x -W -S -D
uid=tester,ou=Users,dc=example,dc=com
        New password:
        Re-enter new password:
        Enter LDAP Password:
        Result: Constraint violation (19)
        Additional info: Password is in history of old passwords

If I try putting in something like 'a' as the password, I get a dialog
box that says:  "Your password must be at least 5 characters, cannot
repeat any of your previous 0 passwords and must be at least 0 days
old.  Please type a different password.  Type a password that meets
these requirements in both text boxes."  Where is this text/requirement
list coming from?  And, how can I configure Samba such that it returns
the desired errors (above) to the user?

In the same vein, instead of having the sambaPasswordHistory attribute
in LDAP reflect the old hashed passwords, I just get one entry which reads:

       sambaPasswordHistory:
0000000000000000000000000000000000000000000000000000000000000000

I would very much appreciate any advice you folks might be able to offer.

Thanks,
Ryan

More information about the samba mailing list