[Samba] Password policies in the LDAP server

Juan Asensio Sánchez okelet at gmail.com
Wed Jun 30 05:17:56 MDT 2010 

Well, if this can help anybody, i found a workaround that is not perfect,
but works fine.

http://lists.fedoraproject.org/pipermail/389-users/2010-June/011685.html

Regards.


El 28 de junio de 2010 12:40, Juan Asensio Sánchez <okelet at gmail.com>escribió:

> Hi
>
> We have some Samba servers using LDAP (389 DS) as backend. In the LDAP
> server, we have defined some policies to make the passwords stronger. When a
> user tries to change his password (Control-Alt-Del), this message appears in
> the LOGs:
>
> ==> /var/log/samba/xptest <==
> [2010/06/28 12:26:26, 2] auth/auth.c:check_ntlm_password(309)
>   check_ntlm_password:  authentication for user [10000001S] -> [10000001S]
> -> [10000001S] succeeded
> [2010/06/28 12:26:26, 2] passdb/pdb_ldap.c:init_sam_from_ldap(545)
>   init_sam_from_ldap: Entry found for user: 10000001S
> [2010/06/28 12:26:26, 2] passdb/pdb_ldap.c:init_group_from_ldap(2167)
>   init_group_from_ldap: Entry found for group: 10001
> [2010/06/28 12:26:37, 2] passdb/pdb_ldap.c:init_group_from_ldap(2167)
>   init_group_from_ldap: Entry found for group: 10001
> [2010/06/28 12:26:38, 2] passdb/pdb_ldap.c:init_ldap_from_sam(972)
>   init_ldap_from_sam: Setting entry for user: 10000001S
> [2010/06/28 12:26:38, 0] passdb/pdb_ldap.c:ldapsam_modify_entry(1651)
>   ldapsam_modify_entry: LDAP Password could not be changed for user
> 10000001S: Constraint violation
>       Failed to update password
>
>
> ==> /var/log/dirsrv/slapd-pruebas/audit <==
> time: 20100628122637
> dn: uid=10000001s,XXXXXXXXXXXXX
> changetype: modify
> delete: sambaLMPassword
> sambaLMPassword: 0182BD0BD4444BF836077A718CCDF409
> -
> add: sambaLMPassword
> sambaLMPassword: 39EAD569B79C7EA2C2265B23734E0DAC
> -
> delete: sambaNTPassword
> sambaNTPassword: 259745CB123A52AA2E693AAACCA2DB52
> -
> add: sambaNTPassword
> sambaNTPassword: 8EC60ADEA316D957D1CF532C5841758D
> -
> delete: sambaPwdLastSet
> sambaPwdLastSet: 1277720109
> -
> add: sambaPwdLastSet
> sambaPwdLastSet: 1277720798
> -
> replace: modifiersname
> modifiersname: uid=adminsamba,XXXXXXXXXXX
> -
> replace: modifytimestamp
> modifytimestamp: 20100628102637Z
> -
>
> So, the Samba passwords are changed, but the unix password is not changed
> because the LDAP rejects it because it is not as string as required. Is
> there any way to avoid this? Shouldn't the unix password be changed before
> the samba passwords to check if the LDAP server accepts it?
>
> Regards.
>

More information about the samba mailing list