Hey Denis,

Denis Cardon wrote:
> Hi Ryan,
>
>> I'm using Samba 3.0.24 and OpenLDAP 2.3.30 (with the ppolicy and
>> smbk5pwd overlays).
>>
>> While testing Samba as a PDC with an OpenLDAP backend, I've hit a snag
>> on password change. I currently have the following in my smb.conf
>> related to password changes:
>>
>> passwd program = /usr/bin/ldappasswd -x -W -S -D
>> uid=%u,ou=Users,dc=example,dc=com
>> passwd chat = "*Enter NEW password*" %n\n "*Confirm NEW
>> password*" %n\n "*Verify OLD password*" %o\n "*Password changed*" \n
>> passdb backend = ldapsam:ldap://127.0.0.1

>
> Correct me if I'm wrong, but I thought that the password chat was
> refering to some kind of Expect script to interact with the script
> refered by the "password program" parameters (/usr/bin/ldappasswd in
> your case). There is some more info on this in the smb.conf man page.
>


Yeah, you're right. And, in reading the man page, I found this: "Note
that this parameter only is only used if the unix password sync
parameter is set to yes". I, however, have "ldap passwd sync = yes",
not "unix passwd sync = yes". So I guess 'passwd chat' isn't ever going
to be used in my case?

I can live with the default dialog, but I absolutely need to fix #2
below - the ppolicy restrictions on password length, strength, etc. need
to be adhered to. The fact that I get:

"Your password must be at least 5 characters, cannot
repeat any of your previous 0 passwords and must be at least 0 days
old. Please type a different password. Type a password that meets
these requirements in both text boxes."

....instead of the requirements set forth in OpenLDAP (minimum 6 chars,
can't use previous 6 passwords, etc) as demonstrated below is an issue.
Where is it pulling these requirements from, and how can I get it to
relay messages from OpenLDAP (e.g., the 'password fails quality
checking' message) back to the user?
>
>> I can change passwords, but there are a couple of things I've noticed
>> that don't work properly.
>>
>> 1. My 'passwd chat' text isn't reflected on the Windows clients on the
>> domain. Instead, I get (when changing via ctrl+alt+delete or during
>> domain logon if the password has expired):
>>
>> User name:
>> Log on to:
>> Old password:
>> New password:
>> Confirm new password:
>>
>> 2. The password requirements set forth by ppolicy (such as length,
>> strength, and recently used passwords) don't seem to be adhered to. I
>> can put in 'foobar' as the new password, change it to 'foobar1', change
>> it back to 'foobar', and Samba will happily change the passwords. While
>> the change does take, and I can log in to the domain with 'foobar' or
>> 'foobar1' as the password, it's certainly not what I want. Conversely,
>> I get this desired results when invoking 'ldappasswd' from the
>> command-line:
>>
>> # Testing the weak password 'foobar'
>> server:~# /usr/bin/ldappasswd -x -W -S -D
>> uid=tester,ou=Users,dc=example,dc=com
>> New password:
>> Re-enter new password:
>> Enter LDAP Password:
>> Result: Constraint violation (19)
>> Additional info: Password fails quality checking policy
>>
>> # Testing a password in the list of the last six passwords
>> server:~# /usr/bin/ldappasswd -x -W -S -D
>> uid=tester,ou=Users,dc=example,dc=com
>> New password:
>> Re-enter new password:
>> Enter LDAP Password:
>> Result: Constraint violation (19)
>> Additional info: Password is in history of old passwords
>>
>> If I try putting in something like 'a' as the password, I get a dialog
>> box that says: "Your password must be at least 5 characters, cannot
>> repeat any of your previous 0 passwords and must be at least 0 days
>> old. Please type a different password. Type a password that meets
>> these requirements in both text boxes." Where is this text/requirement
>> list coming from? And, how can I configure Samba such that it returns
>> the desired errors (above) to the user?
>>
>> In the same vein, instead of having the sambaPasswordHistory attribute
>> in LDAP reflect the old hashed passwords, I just get one entry which
>> reads:
>>
>> sambaPasswordHistory:
>> 00000000000000000000000000000000000000000000000000 00000000000000
>>
>> I would very much appreciate any advice you folks might be able to
>> offer.
>>
>> Thanks,
>> Ryan

>
>

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba