[Samba] Password policies in the LDAP server

Juan Asensio Sánchez okelet at gmail.com
Mon Jun 28 04:40:09 MDT 2010


We have some Samba servers using LDAP (389 DS) as backend. In the LDAP
server, we have defined some policies to make the passwords stronger. When a
user tries to change his password (Control-Alt-Del), this message appears in
the LOGs:

==> /var/log/samba/xptest <==
[2010/06/28 12:26:26, 2] auth/auth.c:check_ntlm_password(309)
  check_ntlm_password:  authentication for user [10000001S] -> [10000001S]
-> [10000001S] succeeded
[2010/06/28 12:26:26, 2] passdb/pdb_ldap.c:init_sam_from_ldap(545)
  init_sam_from_ldap: Entry found for user: 10000001S
[2010/06/28 12:26:26, 2] passdb/pdb_ldap.c:init_group_from_ldap(2167)
  init_group_from_ldap: Entry found for group: 10001
[2010/06/28 12:26:37, 2] passdb/pdb_ldap.c:init_group_from_ldap(2167)
  init_group_from_ldap: Entry found for group: 10001
[2010/06/28 12:26:38, 2] passdb/pdb_ldap.c:init_ldap_from_sam(972)
  init_ldap_from_sam: Setting entry for user: 10000001S
[2010/06/28 12:26:38, 0] passdb/pdb_ldap.c:ldapsam_modify_entry(1651)
  ldapsam_modify_entry: LDAP Password could not be changed for user
10000001S: Constraint violation
      Failed to update password

==> /var/log/dirsrv/slapd-pruebas/audit <==
time: 20100628122637
dn: uid=10000001s,XXXXXXXXXXXXX
changetype: modify
delete: sambaLMPassword
sambaLMPassword: 0182BD0BD4444BF836077A718CCDF409
add: sambaLMPassword
sambaLMPassword: 39EAD569B79C7EA2C2265B23734E0DAC
delete: sambaNTPassword
sambaNTPassword: 259745CB123A52AA2E693AAACCA2DB52
add: sambaNTPassword
sambaNTPassword: 8EC60ADEA316D957D1CF532C5841758D
delete: sambaPwdLastSet
sambaPwdLastSet: 1277720109
add: sambaPwdLastSet
sambaPwdLastSet: 1277720798
replace: modifiersname
modifiersname: uid=adminsamba,XXXXXXXXXXX
replace: modifytimestamp
modifytimestamp: 20100628102637Z

So, the Samba passwords are changed, but the unix password is not changed
because the LDAP rejects it because it is not as string as required. Is
there any way to avoid this? Shouldn't the unix password be changed before
the samba passwords to check if the LDAP server accepts it?


More information about the samba mailing list