Hey list, Recently I've gotten my Samba PDC to successfully use an OpenLDAP backend, while using the smbk5pwd and ppolicy overlays for OpenLDAP. However, Samba appears to incorrectly handle responses from LDAP's ppolicy overlay, even though it very clearly receives them. If I enter in a password (be it through Ctrl+Alt+Delete or when a password expires and the user is prompted at logon) that violates the ppolicy constraints, I get one of two scenarios.
1. If logging is turned off in OpenLDAP (loglevel 0 in slapd.conf), Windows reports the password change was successful ("Your password has been changed" dialog box), when in fact none of the attributes have changed (including but not limited to sambaNTPassword, sambaLMPassword. 2. If logging is turned on (anything other than 0 in the slapd.conf), Windows reports that "The system cannot change your password now because the domain DOMAINNAME is unavailable." While this is certainly not the case, at least in this situation the user is informed that the password change did not work. I can see that LDAP does indeed pass back a response to Samba; from the LDAP logs: Apr 4 10:47:37 servername slapd[12709]: do_extended Apr 4 10:47:37 servername slapd[12709]: >>> dnPrettyNormal: <uid=tester,ou=Users,dc=example,dc=com> Apr 4 10:47:37 servername slapd[12709]: <<< dnPrettyNormal: <uid=tester,ou=Users,dc=example,dc=com>, <uid=tester,ou=users,dc=example,dc=com> Apr 4 10:47:37 servername slapd[12709]: bdb_dn2entry("uid=tester,ou=users,dc=example,dc=com") Apr 4 10:47:37 servername slapd[12709]: bdb_dn2entry("uid=tester,ou=users,dc=example,dc=com") Apr 4 10:47:37 servername slapd[12709]: bdb_entry_get: rc=0 Apr 4 10:47:37 servername slapd[12709]: bdb_dn2entry("uid=tester,ou=users,dc=example,dc=com") Apr 4 10:47:37 servername slapd[12709]: bdb_entry_get: rc=0 Apr 4 10:47:37 servername slapd[12709]: bdb_dn2entry("cn=password policy,ou=policies,dc=example,dc=com") Apr 4 10:47:37 servername slapd[12709]: bdb_entry_get: rc=0 Apr 4 10:47:37 servername slapd[12709]: check_password_quality: module error: (check_password.so) Password for dn="uid=tester,ou=Users,dc=example,dc=com" does not pass required number of strength checks (1 of 3).[1] Apr 4 10:47:37 servername slapd[12709]: send_ldap_result: conn=76 op=24 p=3 Apr 4 10:47:37 servername slapd[12709]: send_ldap_extended: err=19 oid= len=0 Apr 4 10:47:37 servername slapd[12709]: send_ldap_response: msgid=25 tag=120 err=19 Apr 4 10:47:42 servername slapd[12709]: connection_get(19): got connid=77 Apr 4 10:47:42 servername slapd[12709]: connection_read(19): checking for input on id=77 Apr 4 10:47:42 servername slapd[12709]: ber_get_next on fd 19 failed errno=0 (Success) Apr 4 10:47:42 servername slapd[12709]: connection_closing: readying conn=77 sd=19 for close Apr 4 10:47:42 servername slapd[12709]: connection_close: conn=77 sd=-1 Apr 4 10:47:42 servername slapd[12709]: connection_get(13): got connid=76 Apr 4 10:47:42 servername slapd[12709]: connection_read(13): checking for input on id=76 Apr 4 10:47:42 servername slapd[12709]: ber_get_next on fd 13 failed errno=0 (Success) Apr 4 10:47:42 servername slapd[12709]: connection_closing: readying conn=76 sd=13 for close Apr 4 10:47:42 servername slapd[12709]: connection_close: conn=76 sd=-1 ...and, Samba does receive this error message intact. From the Samba logs: [2008/04/04 12:11:54, 4] passdb/pdb_ldap.c:ldapsam_update_sam_account(1777) ldapsam_update_sam_account: user tester to be modified has dn: uid=tester,ou=Users,dc=example,dc=com [2008/04/04 12:11:54, 2] passdb/pdb_ldap.c:init_ldap_from_sam(965) init_ldap_from_sam: Setting entry for user: tester [2008/04/04 12:11:54, 10] lib/smbldap.c:smbldap_make_mod(520) smbldap_make_mod: deleting attribute |sambaPwdCanChange| values |1207320457| [2008/04/04 12:11:54, 10] lib/smbldap.c:smbldap_make_mod(529) smbldap_make_mod: adding attribute |sambaPwdCanChange| value |1207325514| [2008/04/04 12:11:54, 10] lib/smbldap.c:smbldap_make_mod(504) smbldap_make_mod: attribute |sambaPwdMustChange| not changed. [2008/04/04 12:11:54, 5] lib/smbldap.c:smbldap_modify(1363) smbldap_modify: dn => [uid=tester,ou=Users,dc=example,dc=com] [2008/04/04 12:11:54, 10] lib/smbldap.c:smbldap_extended_operation(1472) Extended operation failed with error: Constraint violation (Password fails quality checking policy) [2008/04/04 12:11:54, 0] passdb/pdb_ldap.c:ldapsam_modify_entry(1644) ldapsam_modify_entry: LDAP Password could not be changed for user tester: Constraint violation Password fails quality checking policy [2008/04/04 12:11:54, 3] smbd/sec_ctx.c:pop_sec_ctx(339) pop_sec_ctx (1043, 513) - sec_ctx_stack_ndx = 1 [2008/04/04 12:11:54, 5] rpc_parse/parse_samr.c:init_samr_r_chgpasswd_user(7534) init_samr_r_chgpasswd_user [2008/04/04 12:11:54, 5] rpc_server/srv_samr_nt.c:_samr_chgpasswd_user(1480) _samr_chgpasswd_user: 1480 [2008/04/04 12:11:54, 5] rpc_parse/parse_prs.c:prs_debug(84) 000000 samr_io_r_chgpasswd_user [2008/04/04 12:11:54, 5] rpc_parse/parse_prs.c:prs_ntstatus(763) 0000 status: NT_STATUS_UNSUCCESSFUL Yet, the error message is: "The system cannot change your password now because the domain DOMAINNAME is unavailable." I wonder why Samba doesn't pass back the error verbatim to the client? Is this a bug, and is it patchable? Respectfully, Ryan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba