[Samba] Samba 3.0.24 handling LDAP responses incorrectly

John Drescher drescherjm at gmail.com
Fri Apr 4 20:47:56 GMT 2008 

On Fri, Apr 4, 2008 at 4:41 PM, Ryan Steele <rsteele at archer-group.com> wrote:
> Hey list,
>
>  Recently I've gotten my Samba PDC to successfully use an OpenLDAP
>  backend, while using the smbk5pwd and ppolicy overlays for OpenLDAP.
>  However, Samba appears to incorrectly handle responses from LDAP's
>  ppolicy overlay, even though it very clearly receives them.  If I enter
>  in a password (be it through Ctrl+Alt+Delete or when a password expires
>  and the user is prompted at logon) that violates the ppolicy
>  constraints, I get one of two scenarios.
>
>  1. If logging is turned off in OpenLDAP (loglevel 0 in slapd.conf),
>  Windows reports the password change was successful ("Your password has
>  been changed" dialog box), when in fact none of the attributes have
>  changed (including but not limited to sambaNTPassword, sambaLMPassword.
>
>  2. If logging is turned on (anything other than 0 in the slapd.conf),
>  Windows reports that "The system cannot change your password now because
>  the domain DOMAINNAME is unavailable."  While this is certainly not the
>  case, at least in this situation the user is informed that the password
>  change did not work.
>
>  I can see that LDAP does indeed pass back a response to Samba; from the
>  LDAP logs:
>
>  Apr  4 10:47:37 servername slapd[12709]: do_extended
>  Apr  4 10:47:37 servername slapd[12709]: >>> dnPrettyNormal:
>  <uid=tester,ou=Users,dc=example,dc=com>
>  Apr  4 10:47:37 servername slapd[12709]: <<< dnPrettyNormal:
>  <uid=tester,ou=Users,dc=example,dc=com>,
>  <uid=tester,ou=users,dc=example,dc=com>
>  Apr  4 10:47:37 servername slapd[12709]:
>  bdb_dn2entry("uid=tester,ou=users,dc=example,dc=com")
>  Apr  4 10:47:37 servername slapd[12709]:
>  bdb_dn2entry("uid=tester,ou=users,dc=example,dc=com")
>  Apr  4 10:47:37 servername slapd[12709]: bdb_entry_get: rc=0
>  Apr  4 10:47:37 servername slapd[12709]:
>  bdb_dn2entry("uid=tester,ou=users,dc=example,dc=com")
>  Apr  4 10:47:37 servername slapd[12709]: bdb_entry_get: rc=0
>  Apr  4 10:47:37 servername slapd[12709]: bdb_dn2entry("cn=password
>  policy,ou=policies,dc=example,dc=com")
>  Apr  4 10:47:37 servername slapd[12709]: bdb_entry_get: rc=0
>  Apr  4 10:47:37 servername slapd[12709]: check_password_quality: module
>  error: (check_password.so) Password for
>  dn="uid=tester,ou=Users,dc=example,dc=com" does not pass required number
>  of strength checks (1 of 3).[1]
>  Apr  4 10:47:37 servername slapd[12709]: send_ldap_result: conn=76 op=24 p=3
>  Apr  4 10:47:37 servername slapd[12709]: send_ldap_extended: err=19 oid=
>  len=0
>  Apr  4 10:47:37 servername slapd[12709]: send_ldap_response: msgid=25
>  tag=120 err=19
>  Apr  4 10:47:42 servername slapd[12709]: connection_get(19): got connid=77
>  Apr  4 10:47:42 servername slapd[12709]: connection_read(19): checking
>  for input on id=77
>  Apr  4 10:47:42 servername slapd[12709]: ber_get_next on fd 19 failed
>  errno=0 (Success)
>  Apr  4 10:47:42 servername slapd[12709]: connection_closing: readying
>  conn=77 sd=19 for close
>  Apr  4 10:47:42 servername slapd[12709]: connection_close: conn=77 sd=-1
>  Apr  4 10:47:42 servername slapd[12709]: connection_get(13): got connid=76
>  Apr  4 10:47:42 servername slapd[12709]: connection_read(13): checking
>  for input on id=76
>  Apr  4 10:47:42 servername slapd[12709]: ber_get_next on fd 13 failed
>  errno=0 (Success)
>  Apr  4 10:47:42 servername slapd[12709]: connection_closing: readying
>  conn=76 sd=13 for close
>  Apr  4 10:47:42 servername slapd[12709]: connection_close: conn=76 sd=-1
>
>  ...and, Samba does receive this error message intact.  From the Samba logs:
>
>  [2008/04/04 12:11:54, 4] passdb/pdb_ldap.c:ldapsam_update_sam_account(1777)
>   ldapsam_update_sam_account: user tester to be modified has dn:
>  uid=tester,ou=Users,dc=example,dc=com
>  [2008/04/04 12:11:54, 2] passdb/pdb_ldap.c:init_ldap_from_sam(965)
>   init_ldap_from_sam: Setting entry for user: tester
>  [2008/04/04 12:11:54, 10] lib/smbldap.c:smbldap_make_mod(520)
>   smbldap_make_mod: deleting attribute |sambaPwdCanChange| values
>  |1207320457|
>  [2008/04/04 12:11:54, 10] lib/smbldap.c:smbldap_make_mod(529)
>   smbldap_make_mod: adding attribute |sambaPwdCanChange| value |1207325514|
>  [2008/04/04 12:11:54, 10] lib/smbldap.c:smbldap_make_mod(504)
>   smbldap_make_mod: attribute |sambaPwdMustChange| not changed.
>  [2008/04/04 12:11:54, 5] lib/smbldap.c:smbldap_modify(1363)
>   smbldap_modify: dn => [uid=tester,ou=Users,dc=example,dc=com]
>  [2008/04/04 12:11:54, 10] lib/smbldap.c:smbldap_extended_operation(1472)
>   Extended operation failed with error: Constraint violation (Password
>  fails quality checking policy)
>  [2008/04/04 12:11:54, 0] passdb/pdb_ldap.c:ldapsam_modify_entry(1644)
>   ldapsam_modify_entry: LDAP Password could not be changed for user
>  tester: Constraint violation
>         Password fails quality checking policy
>  [2008/04/04 12:11:54, 3] smbd/sec_ctx.c:pop_sec_ctx(339)
>   pop_sec_ctx (1043, 513) - sec_ctx_stack_ndx = 1
>  [2008/04/04 12:11:54, 5]
>  rpc_parse/parse_samr.c:init_samr_r_chgpasswd_user(7534)
>   init_samr_r_chgpasswd_user
>  [2008/04/04 12:11:54, 5] rpc_server/srv_samr_nt.c:_samr_chgpasswd_user(1480)
>   _samr_chgpasswd_user: 1480
>  [2008/04/04 12:11:54, 5] rpc_parse/parse_prs.c:prs_debug(84)
>   000000 samr_io_r_chgpasswd_user
>  [2008/04/04 12:11:54, 5] rpc_parse/parse_prs.c:prs_ntstatus(763)
>       0000 status: NT_STATUS_UNSUCCESSFUL
>
>  Yet, the error message is: "The system cannot change your password now
>  because the domain DOMAINNAME is unavailable."   I wonder why Samba
>  doesn't pass back the error verbatim to the client?  Is this a bug, and
>  is it patchable?
>

I think the bug/problem is that this message is being displayed
instead of "Password could not be changed for user
  tester: Constraint violation" and "does not pass required number  of
strength checks (1 of 3)."

John

More information about the samba mailing list