Volker Lendecke wrote: > On Mon, Apr 07, 2008 at 03:19:00PM -0400, Ryan Steele wrote: > >> It's not defined in my Samba source, but I guess that was the wrong >> place to look. On my system, /usr/include/ldap.h does in fact have that >> defined. However, Samba still returns NT_STATUS_UNSUCCESSFUL, and >> Windows still reports that the password couldn't be changed because the >> domain was unavailable... have I zigged where I should've zagged, or is >> Samba not setting rc properly when it gets the response from LDAP? >> > > Please check that your LDAP server indeed does return 0x13 > over the 389 connection. You might also add a DEBUG > statement right above the #if defined(LDAP_CONSTRAINT_VIOLATION) > to check what smbd sees. That's at least what I would do. > > Volker > My initial process was flawed (the makefile I was using was pointing to the wrong source tree). I have now gotten the new code in pdb_ldap.c working, but there's still a slight issue. It returns NT_STATUS_PASSWORD_RESTRICTION as expected, but instead of passing back the message that LDAP sends, which is:
[2008/04/08 05:35:26, 10] lib/smbldap.c:smbldap_extended_operation(1472) Extended operation failed with error: Constraint violation (Password fails quality checking policy) [2008/04/08 05:35:26, 0] passdb/pdb_ldap.c:ldapsam_modify_entry(1644) ldapsam_modify_entry: LDAP Password could not be changed for user tester: Constraint violation Password fails quality checking policy ...it returns "Your password must be at least 5 characters, cannot repeat any of your previous 0 passwords and must be at least 0 days old. Please type a different password. Type a password that meets these requirements in both text boxes." Is there any way to get Samba to use what it's being given by LDAP, instead of using these values? I'm using ldapsam:ldap://server as my passdb backend, so I'm not sure where it's actually getting those from, but it's not what the users are being restricted by and I'd like the error messages to reflect the LDAP restrictions that it's passing back to Samba. Thanks as always for your help and insight, Ryan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba