Hey Denis, Denis Cardon wrote: > Hi Ryan, > >> I'm using Samba 3.0.24 and OpenLDAP 2.3.30 (with the ppolicy and >> smbk5pwd overlays). >> >> While testing Samba as a PDC with an OpenLDAP backend, I've hit a snag >> on password change. I currently have the following in my smb.conf >> related to password changes: >> >> passwd program = /usr/bin/ldappasswd -x -W -S -D >> uid=%u,ou=Users,dc=example,dc=com >> passwd chat = "*Enter NEW password*" %n\n "*Confirm NEW >> password*" %n\n "*Verify OLD password*" %o\n "*Password changed*" \n >> passdb backend = ldapsam:ldap://127.0.0.1 > > Correct me if I'm wrong, but I thought that the password chat was > refering to some kind of Expect script to interact with the script > refered by the "password program" parameters (/usr/bin/ldappasswd in > your case). There is some more info on this in the smb.conf man page. >
Yeah, you're right. And, in reading the man page, I found this: "Note that this parameter only is only used if the unix password sync parameter is set to yes". I, however, have "ldap passwd sync = yes", not "unix passwd sync = yes". So I guess 'passwd chat' isn't ever going to be used in my case? I can live with the default dialog, but I absolutely need to fix #2 below - the ppolicy restrictions on password length, strength, etc. need to be adhered to. The fact that I get: "Your password must be at least 5 characters, cannot repeat any of your previous 0 passwords and must be at least 0 days old. Please type a different password. Type a password that meets these requirements in both text boxes." ...instead of the requirements set forth in OpenLDAP (minimum 6 chars, can't use previous 6 passwords, etc) as demonstrated below is an issue. Where is it pulling these requirements from, and how can I get it to relay messages from OpenLDAP (e.g., the 'password fails quality checking' message) back to the user? > >> I can change passwords, but there are a couple of things I've noticed >> that don't work properly. >> >> 1. My 'passwd chat' text isn't reflected on the Windows clients on the >> domain. Instead, I get (when changing via ctrl+alt+delete or during >> domain logon if the password has expired): >> >> User name: >> Log on to: >> Old password: >> New password: >> Confirm new password: >> >> 2. The password requirements set forth by ppolicy (such as length, >> strength, and recently used passwords) don't seem to be adhered to. I >> can put in 'foobar' as the new password, change it to 'foobar1', change >> it back to 'foobar', and Samba will happily change the passwords. While >> the change does take, and I can log in to the domain with 'foobar' or >> 'foobar1' as the password, it's certainly not what I want. Conversely, >> I get this desired results when invoking 'ldappasswd' from the >> command-line: >> >> # Testing the weak password 'foobar' >> server:~# /usr/bin/ldappasswd -x -W -S -D >> uid=tester,ou=Users,dc=example,dc=com >> New password: >> Re-enter new password: >> Enter LDAP Password: >> Result: Constraint violation (19) >> Additional info: Password fails quality checking policy >> >> # Testing a password in the list of the last six passwords >> server:~# /usr/bin/ldappasswd -x -W -S -D >> uid=tester,ou=Users,dc=example,dc=com >> New password: >> Re-enter new password: >> Enter LDAP Password: >> Result: Constraint violation (19) >> Additional info: Password is in history of old passwords >> >> If I try putting in something like 'a' as the password, I get a dialog >> box that says: "Your password must be at least 5 characters, cannot >> repeat any of your previous 0 passwords and must be at least 0 days >> old. Please type a different password. Type a password that meets >> these requirements in both text boxes." Where is this text/requirement >> list coming from? And, how can I configure Samba such that it returns >> the desired errors (above) to the user? >> >> In the same vein, instead of having the sambaPasswordHistory attribute >> in LDAP reflect the old hashed passwords, I just get one entry which >> reads: >> >> sambaPasswordHistory: >> 0000000000000000000000000000000000000000000000000000000000000000 >> >> I would very much appreciate any advice you folks might be able to >> offer. >> >> Thanks, >> Ryan > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
