[Samba] Samba 3.0.24 handling LDAP responses incorrectly

Ryan Steele rsteele at archer-group.com
Tue Apr 8 14:10:18 GMT 2008

Volker Lendecke wrote:
> On Mon, Apr 07, 2008 at 03:19:00PM -0400, Ryan Steele wrote:
>> It's not defined in my Samba source, but I guess that was the wrong
>> place to look.  On my system, /usr/include/ldap.h does in fact have that
>> defined.  However, Samba still returns NT_STATUS_UNSUCCESSFUL, and
>> Windows still  reports that the password couldn't be changed because the
>> domain was unavailable... have I zigged where I should've zagged, or is
>> Samba not setting rc properly when it gets the response from LDAP?
> Please check that your LDAP server indeed does return 0x13
> over the 389 connection. You might also add a DEBUG
> statement right above the #if defined(LDAP_CONSTRAINT_VIOLATION) 
> to check what smbd sees. That's at least what I would do.
> Volker

My initial process for building the binary package was flawed (the
makefile was using the wrong source tree).  After correcting that, the
new code has been inserted, and it is successfully returning
NT_STATUS_PASSWORD_RESTRICTION in pdb_ldap.c.  However, there is a
slight problem.  Instead of showing the user the message that LDAP is
passing back (and which Samba receives) which is:

[2008/04/08 05:35:26, 10] lib/smbldap.c:smbldap_extended_operation(1472)
  Extended operation failed with error: Constraint violation (Password
fails quality checking policy)
[2008/04/08 05:35:26, 0] passdb/pdb_ldap.c:ldapsam_modify_entry(1644)
  ldapsam_modify_entry: LDAP Password could not be changed for user
tester: Constraint violation
        Password fails quality checking policy

...it returns "Your password must be at least 5 characters, cannot
repeat any of your previous 0 passwords and must be at least 0 days
old.  Please type a different password.  Type a password that meets
these requirements in both text boxes."  Is it possible to have Samba
convey to the user the message that LDAP returns, instead of returning
the aformentioned message?  I want the error the users see to reflect
why they're actually being denied a password change. 

I'm using ldapsam:ldap://server as my passdb backend, so I'm not sure
why it's showing the user this message instead.  I see I can edit the
values that Samba is showing the user with pdbedit, but I shouldn't need
to edit that - my password policy is defined in LDAP, and those are the
message I'd like the users to see.

Thanks as always for your help and insight,


More information about the samba mailing list