[Samba] Samba 3.0.24 handling LDAP responses incorrectly

Ryan Steele steele at agora-net.com
Tue Apr 8 14:01:22 GMT 2008 

Volker Lendecke wrote:
> On Mon, Apr 07, 2008 at 03:19:00PM -0400, Ryan Steele wrote:
>   
>> It's not defined in my Samba source, but I guess that was the wrong
>> place to look.  On my system, /usr/include/ldap.h does in fact have that
>> defined.  However, Samba still returns NT_STATUS_UNSUCCESSFUL, and
>> Windows still  reports that the password couldn't be changed because the
>> domain was unavailable... have I zigged where I should've zagged, or is
>> Samba not setting rc properly when it gets the response from LDAP?
>>     
>
> Please check that your LDAP server indeed does return 0x13
> over the 389 connection. You might also add a DEBUG
> statement right above the #if defined(LDAP_CONSTRAINT_VIOLATION) 
> to check what smbd sees. That's at least what I would do.
>
> Volker
>   
My initial process was flawed (the makefile I was using was pointing to
the wrong source tree).  I have now gotten the new code in pdb_ldap.c
working, but there's still a slight issue.  It returns
NT_STATUS_PASSWORD_RESTRICTION as expected, but instead of passing back
the message that LDAP sends, which is:

[2008/04/08 05:35:26, 10] lib/smbldap.c:smbldap_extended_operation(1472)
  Extended operation failed with error: Constraint violation (Password
fails quality checking policy)
[2008/04/08 05:35:26, 0] passdb/pdb_ldap.c:ldapsam_modify_entry(1644)
  ldapsam_modify_entry: LDAP Password could not be changed for user
tester: Constraint violation
        Password fails quality checking policy

...it returns "Your password must be at least 5 characters, cannot
repeat any of your previous 0 passwords and must be at least 0 days
old.  Please type a different password.  Type a password that meets
these requirements in both text boxes."  Is there any way to get Samba
to use what it's being given by LDAP, instead of using these values? 
I'm using ldapsam:ldap://server as my passdb backend, so I'm not sure
where it's actually getting those from, but it's not what the users are
being restricted by and I'd like the error messages to reflect the LDAP
restrictions that it's passing back to Samba.

Thanks as always for your help and insight,

Ryan

More information about the samba mailing list