[Samba] Password policies in the LDAP server

Juan Asensio Sánchez okelet at gmail.com
Mon Jun 28 04:40:09 MDT 2010


Hi

We have some Samba servers using LDAP (389 DS) as backend. In the LDAP
server, we have defined some policies to make the passwords stronger. When a
user tries to change his password (Control-Alt-Del), this message appears in
the LOGs:

==> /var/log/samba/xptest <==
[2010/06/28 12:26:26, 2] auth/auth.c:check_ntlm_password(309)
  check_ntlm_password:  authentication for user [10000001S] -> [10000001S]
-> [10000001S] succeeded
[2010/06/28 12:26:26, 2] passdb/pdb_ldap.c:init_sam_from_ldap(545)
  init_sam_from_ldap: Entry found for user: 10000001S
[2010/06/28 12:26:26, 2] passdb/pdb_ldap.c:init_group_from_ldap(2167)
  init_group_from_ldap: Entry found for group: 10001
[2010/06/28 12:26:37, 2] passdb/pdb_ldap.c:init_group_from_ldap(2167)
  init_group_from_ldap: Entry found for group: 10001
[2010/06/28 12:26:38, 2] passdb/pdb_ldap.c:init_ldap_from_sam(972)
  init_ldap_from_sam: Setting entry for user: 10000001S
[2010/06/28 12:26:38, 0] passdb/pdb_ldap.c:ldapsam_modify_entry(1651)
  ldapsam_modify_entry: LDAP Password could not be changed for user
10000001S: Constraint violation
      Failed to update password


==> /var/log/dirsrv/slapd-pruebas/audit <==
time: 20100628122637
dn: uid=10000001s,XXXXXXXXXXXXX
changetype: modify
delete: sambaLMPassword
sambaLMPassword: 0182BD0BD4444BF836077A718CCDF409
-
add: sambaLMPassword
sambaLMPassword: 39EAD569B79C7EA2C2265B23734E0DAC
-
delete: sambaNTPassword
sambaNTPassword: 259745CB123A52AA2E693AAACCA2DB52
-
add: sambaNTPassword
sambaNTPassword: 8EC60ADEA316D957D1CF532C5841758D
-
delete: sambaPwdLastSet
sambaPwdLastSet: 1277720109
-
add: sambaPwdLastSet
sambaPwdLastSet: 1277720798
-
replace: modifiersname
modifiersname: uid=adminsamba,XXXXXXXXXXX
-
replace: modifytimestamp
modifytimestamp: 20100628102637Z
-

So, the Samba passwords are changed, but the unix password is not changed
because the LDAP rejects it because it is not as string as required. Is
there any way to avoid this? Shouldn't the unix password be changed before
the samba passwords to check if the LDAP server accepts it?

Regards.


More information about the samba mailing list