[Samba] passwd program error causes misleading windows error message

James Holmes jdh at rtds.com
Fri Feb 13 00:29:21 GMT 2009

I have samba setup to use an external password change command using:

unix password sync = Yes
ldap password sync = No
passwd program = /path/to/smbldap-passwd -u %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n

I use the Idealx smbldap-passwd command to update my LDAP database and
everything works fine. I decided to modify the smbldap-passwd script to
check for bad passwords. I used CPAN's Data::Password module to do this.

However I have one issue with this, if the user enters a bad password I
have the script return an exit code of 10 (because that's what the
Idealx script does in other places to indicate an error) but when the
end user changes their windows password with CTRL-ALT-DELETE -> Change
Password it works fine if the password validates okay, but if it fails
validation windows returns with a very misleading "you do not have
permission to change your password".

I did some experimentation to see if changing the exit code in the
smbldap-passwd script had any effect, but it doesn't seem to. Is there
some way to get windows to return a more reasonable error message when
this script fails? Or does someone else have a better way of
accomplishing this same goal?

James Holmes
RTDS Technologies Inc.
(204) 989-9706

More information about the samba mailing list