[Samba] Samba PDC, OpenLDAP, and passwd chat - Samba

This is a discussion on [Samba] Samba PDC, OpenLDAP, and passwd chat - Samba ; Hey List, I'm using Samba 3.0.24 and OpenLDAP 2.3.30 (with the ppolicy and smbk5pwd overlays). While testing Samba as a PDC with an OpenLDAP backend, I've hit a snag on password change. I currently have the following in my smb.conf ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: [Samba] Samba PDC, OpenLDAP, and passwd chat

  1. [Samba] Samba PDC, OpenLDAP, and passwd chat

    Hey List,

    I'm using Samba 3.0.24 and OpenLDAP 2.3.30 (with the ppolicy and
    smbk5pwd overlays).

    While testing Samba as a PDC with an OpenLDAP backend, I've hit a snag
    on password change. I currently have the following in my smb.conf
    related to password changes:

    passwd program = /usr/bin/ldappasswd -x -W -S -D
    uid=%u,ou=Users,dc=example,dc=com
    passwd chat = "*Enter NEW password*" %n\n "*Confirm NEW
    password*" %n\n "*Verify OLD password*" %o\n "*Password changed*" \n
    passdb backend = ldapsam:ldap://127.0.0.1

    I can change passwords, but there are a couple of things I've noticed
    that don't work properly.

    1. My 'passwd chat' text isn't reflected on the Windows clients on the
    domain. Instead, I get (when changing via ctrl+alt+delete or during
    domain logon if the password has expired):

    User name:
    Log on to:
    Old password:
    New password:
    Confirm new password:

    2. The password requirements set forth by ppolicy (such as length,
    strength, and recently used passwords) don't seem to be adhered to. I
    can put in 'foobar' as the new password, change it to 'foobar1', change
    it back to 'foobar', and Samba will happily change the passwords. While
    the change does take, and I can log in to the domain with 'foobar' or
    'foobar1' as the password, it's certainly not what I want. Conversely,
    I get this desired results when invoking 'ldappasswd' from the command-line:

    # Testing the weak password 'foobar'
    server:~# /usr/bin/ldappasswd -x -W -S -D
    uid=tester,ou=Users,dc=example,dc=com
    New password:
    Re-enter new password:
    Enter LDAP Password:
    Result: Constraint violation (19)
    Additional info: Password fails quality checking policy

    # Testing a password in the list of the last six passwords
    server:~# /usr/bin/ldappasswd -x -W -S -D
    uid=tester,ou=Users,dc=example,dc=com
    New password:
    Re-enter new password:
    Enter LDAP Password:
    Result: Constraint violation (19)
    Additional info: Password is in history of old passwords

    If I try putting in something like 'a' as the password, I get a dialog
    box that says: "Your password must be at least 5 characters, cannot
    repeat any of your previous 0 passwords and must be at least 0 days
    old. Please type a different password. Type a password that meets
    these requirements in both text boxes." Where is this text/requirement
    list coming from? And, how can I configure Samba such that it returns
    the desired errors (above) to the user?

    In the same vein, instead of having the sambaPasswordHistory attribute
    in LDAP reflect the old hashed passwords, I just get one entry which reads:

    sambaPasswordHistory:
    00000000000000000000000000000000000000000000000000 00000000000000

    I would very much appreciate any advice you folks might be able to offer.

    Thanks,
    Ryan
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  2. Re: [Samba] Samba PDC, OpenLDAP, and passwd chat

    Hi Ryan,

    > I'm using Samba 3.0.24 and OpenLDAP 2.3.30 (with the ppolicy and
    > smbk5pwd overlays).
    >
    > While testing Samba as a PDC with an OpenLDAP backend, I've hit a snag
    > on password change. I currently have the following in my smb.conf
    > related to password changes:
    >
    > passwd program = /usr/bin/ldappasswd -x -W -S -D
    > uid=%u,ou=Users,dc=example,dc=com
    > passwd chat = "*Enter NEW password*" %n\n "*Confirm NEW
    > password*" %n\n "*Verify OLD password*" %o\n "*Password changed*" \n
    > passdb backend = ldapsam:ldap://127.0.0.1


    Correct me if I'm wrong, but I thought that the password chat was
    refering to some kind of Expect script to interact with the script
    refered by the "password program" parameters (/usr/bin/ldappasswd in
    your case). There is some more info on this in the smb.conf man page.

    Cheers,

    Denis

    > I can change passwords, but there are a couple of things I've noticed
    > that don't work properly.
    >
    > 1. My 'passwd chat' text isn't reflected on the Windows clients on the
    > domain. Instead, I get (when changing via ctrl+alt+delete or during
    > domain logon if the password has expired):
    >
    > User name:
    > Log on to:
    > Old password:
    > New password:
    > Confirm new password:
    >
    > 2. The password requirements set forth by ppolicy (such as length,
    > strength, and recently used passwords) don't seem to be adhered to. I
    > can put in 'foobar' as the new password, change it to 'foobar1', change
    > it back to 'foobar', and Samba will happily change the passwords. While
    > the change does take, and I can log in to the domain with 'foobar' or
    > 'foobar1' as the password, it's certainly not what I want. Conversely,
    > I get this desired results when invoking 'ldappasswd' from the command-line:
    >
    > # Testing the weak password 'foobar'
    > server:~# /usr/bin/ldappasswd -x -W -S -D
    > uid=tester,ou=Users,dc=example,dc=com
    > New password:
    > Re-enter new password:
    > Enter LDAP Password:
    > Result: Constraint violation (19)
    > Additional info: Password fails quality checking policy
    >
    > # Testing a password in the list of the last six passwords
    > server:~# /usr/bin/ldappasswd -x -W -S -D
    > uid=tester,ou=Users,dc=example,dc=com
    > New password:
    > Re-enter new password:
    > Enter LDAP Password:
    > Result: Constraint violation (19)
    > Additional info: Password is in history of old passwords
    >
    > If I try putting in something like 'a' as the password, I get a dialog
    > box that says: "Your password must be at least 5 characters, cannot
    > repeat any of your previous 0 passwords and must be at least 0 days
    > old. Please type a different password. Type a password that meets
    > these requirements in both text boxes." Where is this text/requirement
    > list coming from? And, how can I configure Samba such that it returns
    > the desired errors (above) to the user?
    >
    > In the same vein, instead of having the sambaPasswordHistory attribute
    > in LDAP reflect the old hashed passwords, I just get one entry which reads:
    >
    > sambaPasswordHistory:
    > 00000000000000000000000000000000000000000000000000 00000000000000
    >
    > I would very much appreciate any advice you folks might be able to offer.
    >
    > Thanks,
    > Ryan



    --
    Denis Cardon
    Tranquil IT Systems
    44 bvd des pas enchantés
    44230 Saint Sébastien sur Loire
    tel : +33 (0) 2.40.97.62.67
    http://www.tranquil-it-systems.fr


    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  3. Re: [Samba] Samba PDC, OpenLDAP, and passwd chat

    Hey Denis,

    Denis Cardon wrote:
    > Hi Ryan,
    >
    >> I'm using Samba 3.0.24 and OpenLDAP 2.3.30 (with the ppolicy and
    >> smbk5pwd overlays).
    >>
    >> While testing Samba as a PDC with an OpenLDAP backend, I've hit a snag
    >> on password change. I currently have the following in my smb.conf
    >> related to password changes:
    >>
    >> passwd program = /usr/bin/ldappasswd -x -W -S -D
    >> uid=%u,ou=Users,dc=example,dc=com
    >> passwd chat = "*Enter NEW password*" %n\n "*Confirm NEW
    >> password*" %n\n "*Verify OLD password*" %o\n "*Password changed*" \n
    >> passdb backend = ldapsam:ldap://127.0.0.1

    >
    > Correct me if I'm wrong, but I thought that the password chat was
    > refering to some kind of Expect script to interact with the script
    > refered by the "password program" parameters (/usr/bin/ldappasswd in
    > your case). There is some more info on this in the smb.conf man page.
    >


    Yeah, you're right. And, in reading the man page, I found this: "Note
    that this parameter only is only used if the unix password sync
    parameter is set to yes". I, however, have "ldap passwd sync = yes",
    not "unix passwd sync = yes". So I guess 'passwd chat' isn't ever going
    to be used in my case?

    I can live with the default dialog, but I absolutely need to fix #2
    below - the ppolicy restrictions on password length, strength, etc. need
    to be adhered to. The fact that I get:

    "Your password must be at least 5 characters, cannot
    repeat any of your previous 0 passwords and must be at least 0 days
    old. Please type a different password. Type a password that meets
    these requirements in both text boxes."

    ....instead of the requirements set forth in OpenLDAP (minimum 6 chars,
    can't use previous 6 passwords, etc) as demonstrated below is an issue.
    Where is it pulling these requirements from, and how can I get it to
    relay messages from OpenLDAP (e.g., the 'password fails quality
    checking' message) back to the user?
    >
    >> I can change passwords, but there are a couple of things I've noticed
    >> that don't work properly.
    >>
    >> 1. My 'passwd chat' text isn't reflected on the Windows clients on the
    >> domain. Instead, I get (when changing via ctrl+alt+delete or during
    >> domain logon if the password has expired):
    >>
    >> User name:
    >> Log on to:
    >> Old password:
    >> New password:
    >> Confirm new password:
    >>
    >> 2. The password requirements set forth by ppolicy (such as length,
    >> strength, and recently used passwords) don't seem to be adhered to. I
    >> can put in 'foobar' as the new password, change it to 'foobar1', change
    >> it back to 'foobar', and Samba will happily change the passwords. While
    >> the change does take, and I can log in to the domain with 'foobar' or
    >> 'foobar1' as the password, it's certainly not what I want. Conversely,
    >> I get this desired results when invoking 'ldappasswd' from the
    >> command-line:
    >>
    >> # Testing the weak password 'foobar'
    >> server:~# /usr/bin/ldappasswd -x -W -S -D
    >> uid=tester,ou=Users,dc=example,dc=com
    >> New password:
    >> Re-enter new password:
    >> Enter LDAP Password:
    >> Result: Constraint violation (19)
    >> Additional info: Password fails quality checking policy
    >>
    >> # Testing a password in the list of the last six passwords
    >> server:~# /usr/bin/ldappasswd -x -W -S -D
    >> uid=tester,ou=Users,dc=example,dc=com
    >> New password:
    >> Re-enter new password:
    >> Enter LDAP Password:
    >> Result: Constraint violation (19)
    >> Additional info: Password is in history of old passwords
    >>
    >> If I try putting in something like 'a' as the password, I get a dialog
    >> box that says: "Your password must be at least 5 characters, cannot
    >> repeat any of your previous 0 passwords and must be at least 0 days
    >> old. Please type a different password. Type a password that meets
    >> these requirements in both text boxes." Where is this text/requirement
    >> list coming from? And, how can I configure Samba such that it returns
    >> the desired errors (above) to the user?
    >>
    >> In the same vein, instead of having the sambaPasswordHistory attribute
    >> in LDAP reflect the old hashed passwords, I just get one entry which
    >> reads:
    >>
    >> sambaPasswordHistory:
    >> 00000000000000000000000000000000000000000000000000 00000000000000
    >>
    >> I would very much appreciate any advice you folks might be able to
    >> offer.
    >>
    >> Thanks,
    >> Ryan

    >
    >

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  4. Re: [Samba] Samba PDC, OpenLDAP, and passwd chat

    > "Your password must be at least 5 characters, cannot
    > repeat any of your previous 0 passwords and must be at least 0 days
    > old. Please type a different password. Type a password that meets
    > these requirements in both text boxes."
    > ...instead of the requirements set forth in OpenLDAP (minimum 6 chars,
    > can't use previous 6 passwords, etc) as demonstrated below is an issue.
    > Where is it pulling these requirements from,


    The message comes from the security policy set on Samba via the pdbedit
    command. Setting a security policy via pdbedit is covered in the
    pdbedit man page.

    > and how can I get it to
    > relay messages from OpenLDAP (e.g., the 'password fails quality
    > checking' message) back to the user?


    You can't. Yes, this epically sucks.

    I'd be *thrilled* to know if you come up with any universal way to
    enforce password strength & re-use rules. Currently I know of only one
    - Active Directory.

    --
    Adam Tauno Williams, Network & Systems Administrator
    Consultant - http://www.whitemiceconsulting.com
    Developer - http://www.opengroupware.org

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

+ Reply to Thread