[Samba] Password policies in the LDAP server

Willy Offermans Willy at Offermans.Rompen.nl
Thu Jul 1 06:27:03 MDT 2010 

Hello Samba Friend,

I'm sorry that I cannot help you in finding an answer to your question,
but I'm rather interested in how you can add password policies to the
LDAP sever. Is this openldap? and how did you implement the policies?

On Mon, Jun 28, 2010 at 12:40:09PM +0200, Juan Asensio Sánchez wrote:
> Hi
> 
> We have some Samba servers using LDAP (389 DS) as backend. In the LDAP
> server, we have defined some policies to make the passwords stronger. When a
> user tries to change his password (Control-Alt-Del), this message appears in
> the LOGs:
> 
> ==> /var/log/samba/xptest <==
> [2010/06/28 12:26:26, 2] auth/auth.c:check_ntlm_password(309)
>   check_ntlm_password:  authentication for user [10000001S] -> [10000001S]
> -> [10000001S] succeeded
> [2010/06/28 12:26:26, 2] passdb/pdb_ldap.c:init_sam_from_ldap(545)
>   init_sam_from_ldap: Entry found for user: 10000001S
> [2010/06/28 12:26:26, 2] passdb/pdb_ldap.c:init_group_from_ldap(2167)
>   init_group_from_ldap: Entry found for group: 10001
> [2010/06/28 12:26:37, 2] passdb/pdb_ldap.c:init_group_from_ldap(2167)
>   init_group_from_ldap: Entry found for group: 10001
> [2010/06/28 12:26:38, 2] passdb/pdb_ldap.c:init_ldap_from_sam(972)
>   init_ldap_from_sam: Setting entry for user: 10000001S
> [2010/06/28 12:26:38, 0] passdb/pdb_ldap.c:ldapsam_modify_entry(1651)
>   ldapsam_modify_entry: LDAP Password could not be changed for user
> 10000001S: Constraint violation
>       Failed to update password
> 
> 
> ==> /var/log/dirsrv/slapd-pruebas/audit <==
> time: 20100628122637
> dn: uid=10000001s,XXXXXXXXXXXXX
> changetype: modify
> delete: sambaLMPassword
> sambaLMPassword: 0182BD0BD4444BF836077A718CCDF409
> -
> add: sambaLMPassword
> sambaLMPassword: 39EAD569B79C7EA2C2265B23734E0DAC
> -
> delete: sambaNTPassword
> sambaNTPassword: 259745CB123A52AA2E693AAACCA2DB52
> -
> add: sambaNTPassword
> sambaNTPassword: 8EC60ADEA316D957D1CF532C5841758D
> -
> delete: sambaPwdLastSet
> sambaPwdLastSet: 1277720109
> -
> add: sambaPwdLastSet
> sambaPwdLastSet: 1277720798
> -
> replace: modifiersname
> modifiersname: uid=adminsamba,XXXXXXXXXXX
> -
> replace: modifytimestamp
> modifytimestamp: 20100628102637Z
> -
> 
> So, the Samba passwords are changed, but the unix password is not changed
> because the LDAP rejects it because it is not as string as required. Is
> there any way to avoid this? Shouldn't the unix password be changed before
> the samba passwords to check if the LDAP server accepts it?
> 
> Regards.
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

-- 
Met vriendelijke groeten,
With kind regards,
Mit freundlichen Gruessen,
De jrus wah,

Willy

*************************************
Dr. W.K. Offermans
CAT Postdoctoral Fellow
CAT Catalytic Center
Institut für Technische und Makromolekulare Chemie
RWTH Aachen
Worringerweg 1, Raum 38C-150
D-52074 Aachen, Germany
Phone:  +49 241 80 28592
Fax:    +49 241 80 22593
Home:   +31 45 544 49 44
Mobile: +31 681 15 87 68
e-mail: Willy at Offermans.Rompen.nl
e-mail: Willy.Offermans at CatalyticCenter.RWTH-Aachen.de

                                       Powered by ....

                                            (__)
                                         \\\'',)
                                           \/  \ ^
                                           .\._/_)

                                       www.FreeBSD.org

More information about the samba mailing list