[Samba] Samba PDC, OpenLDAP, and passwd chat

Denis Cardon denis.cardon at tranquil-it-systems.fr
Tue Apr 1 18:34:40 GMT 2008 

Hi Ryan,

> I'm using Samba 3.0.24 and OpenLDAP 2.3.30 (with the ppolicy and
> smbk5pwd overlays).
> 
> While testing Samba as a PDC with an OpenLDAP backend, I've hit a snag
> on password change.  I currently have the following in my smb.conf
> related to password changes:
> 
>         passwd program = /usr/bin/ldappasswd -x -W -S -D
> uid=%u,ou=Users,dc=example,dc=com
>         passwd chat = "*Enter NEW password*" %n\n "*Confirm NEW
> password*" %n\n "*Verify OLD password*" %o\n "*Password changed*" \n
>         passdb backend = ldapsam:ldap://127.0.0.1

Correct me if I'm wrong, but I thought that the password chat was 
refering to some kind of Expect script to interact with the script 
refered by the "password program" parameters (/usr/bin/ldappasswd in 
your case). There is some more info on this in the smb.conf man page.

Cheers,

Denis

> I can change passwords, but there are a couple of things I've noticed
> that don't work properly.
> 
> 1. My 'passwd chat' text isn't reflected on the Windows clients on the
> domain.  Instead, I get (when changing via ctrl+alt+delete or during
> domain logon if the password has expired):
> 
>        User name:
>        Log on to:
>        Old password:
>        New password:
>        Confirm new password:
> 
> 2. The password requirements set forth by ppolicy (such as length,
> strength, and recently used passwords) don't seem to be adhered to.  I
> can put in 'foobar' as the new password, change it to 'foobar1', change
> it back to 'foobar', and Samba will happily change the passwords.  While
> the change does take, and I can log in to the domain with 'foobar' or
> 'foobar1' as the password, it's certainly not what I want.  Conversely,
> I get this desired results when invoking 'ldappasswd' from the command-line:
> 
>         # Testing the weak password 'foobar'
>         server:~# /usr/bin/ldappasswd -x -W -S -D
> uid=tester,ou=Users,dc=example,dc=com
>         New password:
>         Re-enter new password:
>         Enter LDAP Password:
>         Result: Constraint violation (19)
>         Additional info: Password fails quality checking policy
> 
>         # Testing a password in the list of the last six passwords
>         server:~# /usr/bin/ldappasswd -x -W -S -D
> uid=tester,ou=Users,dc=example,dc=com
>         New password:
>         Re-enter new password:
>         Enter LDAP Password:
>         Result: Constraint violation (19)
>         Additional info: Password is in history of old passwords
> 
> If I try putting in something like 'a' as the password, I get a dialog
> box that says:  "Your password must be at least 5 characters, cannot
> repeat any of your previous 0 passwords and must be at least 0 days
> old.  Please type a different password.  Type a password that meets
> these requirements in both text boxes."  Where is this text/requirement
> list coming from?  And, how can I configure Samba such that it returns
> the desired errors (above) to the user?
> 
> In the same vein, instead of having the sambaPasswordHistory attribute
> in LDAP reflect the old hashed passwords, I just get one entry which reads:
> 
>        sambaPasswordHistory:
> 0000000000000000000000000000000000000000000000000000000000000000
> 
> I would very much appreciate any advice you folks might be able to offer.
> 
> Thanks,
> Ryan


-- 
Denis Cardon
Tranquil IT Systems
44 bvd des pas enchantés
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.62.67
http://www.tranquil-it-systems.fr

More information about the samba mailing list