Hey List,

I'm using Samba 3.0.24 and OpenLDAP 2.3.30 (with the ppolicy and
smbk5pwd overlays).

While testing Samba as a PDC with an OpenLDAP backend, I've hit a snag
on password change. I currently have the following in my smb.conf
related to password changes:

passwd program = /usr/bin/ldappasswd -x -W -S -D
uid=%u,ou=Users,dc=example,dc=com
passwd chat = "*Enter NEW password*" %n\n "*Confirm NEW
password*" %n\n "*Verify OLD password*" %o\n "*Password changed*" \n
passdb backend = ldapsam:ldap://127.0.0.1

I can change passwords, but there are a couple of things I've noticed
that don't work properly.

1. My 'passwd chat' text isn't reflected on the Windows clients on the
domain. Instead, I get (when changing via ctrl+alt+delete or during
domain logon if the password has expired):

User name:
Log on to:
Old password:
New password:
Confirm new password:

2. The password requirements set forth by ppolicy (such as length,
strength, and recently used passwords) don't seem to be adhered to. I
can put in 'foobar' as the new password, change it to 'foobar1', change
it back to 'foobar', and Samba will happily change the passwords. While
the change does take, and I can log in to the domain with 'foobar' or
'foobar1' as the password, it's certainly not what I want. Conversely,
I get this desired results when invoking 'ldappasswd' from the command-line:

# Testing the weak password 'foobar'
server:~# /usr/bin/ldappasswd -x -W -S -D
uid=tester,ou=Users,dc=example,dc=com
New password:
Re-enter new password:
Enter LDAP Password:
Result: Constraint violation (19)
Additional info: Password fails quality checking policy

# Testing a password in the list of the last six passwords
server:~# /usr/bin/ldappasswd -x -W -S -D
uid=tester,ou=Users,dc=example,dc=com
New password:
Re-enter new password:
Enter LDAP Password:
Result: Constraint violation (19)
Additional info: Password is in history of old passwords

If I try putting in something like 'a' as the password, I get a dialog
box that says: "Your password must be at least 5 characters, cannot
repeat any of your previous 0 passwords and must be at least 0 days
old. Please type a different password. Type a password that meets
these requirements in both text boxes." Where is this text/requirement
list coming from? And, how can I configure Samba such that it returns
the desired errors (above) to the user?

In the same vein, instead of having the sambaPasswordHistory attribute
in LDAP reflect the old hashed passwords, I just get one entry which reads:

sambaPasswordHistory:
00000000000000000000000000000000000000000000000000 00000000000000

I would very much appreciate any advice you folks might be able to offer.

Thanks,
Ryan
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba