Hi Ryan,
I'm using Samba 3.0.24 and OpenLDAP 2.3.30 (with the ppolicy and
smbk5pwd overlays).
While testing Samba as a PDC with an OpenLDAP backend, I've hit a snag
on password change. I currently have the following in my smb.conf
related to password changes:
passwd program = /usr/bin/ldappasswd -x -W -S -D
uid=%u,ou=Users,dc=example,dc=com
passwd chat = "*Enter NEW password*" %n\n "*Confirm NEW
password*" %n\n "*Verify OLD password*" %o\n "*Password changed*" \n
passdb backend = ldapsam:ldap://127.0.0.1
Correct me if I'm wrong, but I thought that the password chat was
refering to some kind of Expect script to interact with the script
refered by the "password program" parameters (/usr/bin/ldappasswd in
your case). There is some more info on this in the smb.conf man page.
Cheers,
Denis
I can change passwords, but there are a couple of things I've noticed
that don't work properly.
1. My 'passwd chat' text isn't reflected on the Windows clients on the
domain. Instead, I get (when changing via ctrl+alt+delete or during
domain logon if the password has expired):
User name:
Log on to:
Old password:
New password:
Confirm new password:
2. The password requirements set forth by ppolicy (such as length,
strength, and recently used passwords) don't seem to be adhered to. I
can put in 'foobar' as the new password, change it to 'foobar1', change
it back to 'foobar', and Samba will happily change the passwords. While
the change does take, and I can log in to the domain with 'foobar' or
'foobar1' as the password, it's certainly not what I want. Conversely,
I get this desired results when invoking 'ldappasswd' from the command-line:
# Testing the weak password 'foobar'
server:~# /usr/bin/ldappasswd -x -W -S -D
uid=tester,ou=Users,dc=example,dc=com
New password:
Re-enter new password:
Enter LDAP Password:
Result: Constraint violation (19)
Additional info: Password fails quality checking policy
# Testing a password in the list of the last six passwords
server:~# /usr/bin/ldappasswd -x -W -S -D
uid=tester,ou=Users,dc=example,dc=com
New password:
Re-enter new password:
Enter LDAP Password:
Result: Constraint violation (19)
Additional info: Password is in history of old passwords
If I try putting in something like 'a' as the password, I get a dialog
box that says: "Your password must be at least 5 characters, cannot
repeat any of your previous 0 passwords and must be at least 0 days
old. Please type a different password. Type a password that meets
these requirements in both text boxes." Where is this text/requirement
list coming from? And, how can I configure Samba such that it returns
the desired errors (above) to the user?
In the same vein, instead of having the sambaPasswordHistory attribute
in LDAP reflect the old hashed passwords, I just get one entry which reads:
sambaPasswordHistory:
0000000000000000000000000000000000000000000000000000000000000000
I would very much appreciate any advice you folks might be able to offer.
Thanks,
Ryan
--
Denis Cardon
Tranquil IT Systems
44 bvd des pas enchantés
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.62.67
http://www.tranquil-it-systems.fr
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
