Re: [Samba] Samba 3.0.24 handling LDAP responses incorrectly
On Tue, Apr 08, 2008 at 10:10:18AM -0400, Ryan Steele wrote: I'm using ldapsam:ldap://server as my passdb backend, so I'm not sure why it's showing the user this message instead. I see I can edit the values that Samba is showing the user with pdbedit, but I shouldn't need to edit that - my password policy is defined in LDAP, and those are the message I'd like the users to see. How are these policies exactly defined in LDAP? Are they visible for LDAP clients? If they are visible, then we might have a chance to return them to the client, although this would require coding. If they are defined in some LDAP server config file that is not visible to Samba, then we can't export those to the client. Volker pgpAqePw20C5S.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0.24 handling LDAP responses incorrectly
Volker Lendecke wrote: On Tue, Apr 08, 2008 at 10:10:18AM -0400, Ryan Steele wrote: I'm using ldapsam:ldap://server as my passdb backend, so I'm not sure why it's showing the user this message instead. I see I can edit the values that Samba is showing the user with pdbedit, but I shouldn't need to edit that - my password policy is defined in LDAP, and those are the message I'd like the users to see. How are these policies exactly defined in LDAP? Are they visible for LDAP clients? It's an explicit entry in LDAP: 56 cn=Password Policy,ou=Policies,dc=example,dc=com cn: Password Policy pwdAttribute: userPassword pwdMaxAge: 3888000 pwdMinAge: 3468000 pwdMinLength: 6 pwdExpireWarning: 432000 pwdFailureCountInterval: 0 pwdMustChange: FALSE pwdAllowUserChange: TRUE pwdLockout: TRUE pwdCheckQuality: 1 pwdGraceAuthNLimit: 0 pwdInHistory: 6 pwdMaxFailure: 2 pwdLockoutDuration: 60 objectClass: device objectClass: pwdPolicy objectClass: pwdPolicyChecker objectClass: top pwdCheckModule: check_password.so pwdSafeModify: FALSE The check_password.so module is what's doing the strength checks, similar to how the 'check password script' works in Samba. All other password policy attributes listed above are visible (read access) from a directory listing (for every user). If they are visible, then we might have a chance to return them to the client, although this would require coding. If they are defined in some LDAP server config file that is not visible to Samba, then we can't export those to the client. It sounds like everything is pretty cut and dry with the exception of the checks enforced by check_password.so. But, I think if Samba just returned the errors sent back by LDAP/check_password.so (e.g., password too short, password does not meet required strength checks, etc.), that would suffice. I can see that Samba receives these error messages, but seems to do nothing with them (log information included in previous posts in this thread). If that can be rectified, that should get us pretty close, no? Thanks as always, Ryan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0.24 handling LDAP responses incorrectly
I'm using ldapsam:ldap://server as my passdb backend, so I'm not sure why it's showing the user this message instead. I see I can edit the values that Samba is showing the user with pdbedit, but I shouldn't need to edit that - my password policy is defined in LDAP, and those are the message I'd like the users to see. How are these policies exactly defined in LDAP? Are they visible for LDAP clients? It's an explicit entry in LDAP: ppolicy support in Samba would be awesome. Would make PCI/DSS (and other regulatory compliance) *much* easier for shops using a Samba PDC. http://www.openldap.org/software/man.cgi?query=slapo-ppolicy 56 cn=Password Policy,ou=Policies,dc=example,dc=com cn: Password Policy pwdAttribute: userPassword pwdMaxAge: 3888000 The check_password.so module is what's doing the strength checks, similar to how the 'check password script' works in Samba. All other password policy attributes listed above are visible (read access) from a directory listing (for every user). If they are visible, then we might have a chance to return them to the client, although this would require coding. If they are defined in some LDAP server config file that is not visible to Samba, then we can't export those to the client. It sounds like everything is pretty cut and dry with the exception of the checks enforced by check_password.so. But, I think if Samba just returned the errors sent back by LDAP/check_password.so (e.g., password too short, password does not meet required strength checks, etc.), that would suffice. Yep, that is what happens. I can see that Samba receives these error messages, but seems to do nothing with them (log information included in previous posts in this thread). If that can be rectified, that should get us pretty close, no? -- Adam Tauno Williams, Network Systems Administrator Consultant - http://www.whitemiceconsulting.com Developer - http://www.opengroupware.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0.24 handling LDAP responses incorrectly
On Wed, Apr 09, 2008 at 11:40:33AM -0400, Adam Tauno Williams wrote: How are these policies exactly defined in LDAP? Are they visible for LDAP clients? It's an explicit entry in LDAP: ppolicy support in Samba would be awesome. Would make PCI/DSS (and other regulatory compliance) *much* easier for shops using a Samba PDC. http://www.openldap.org/software/man.cgi?query=slapo-ppolicy Ok, that looks doable. Problem is as always developer time. I'd be happy to review patches though. Volker P.S: http://samba.org/samba/support/ very likely lists companies where you can buy that developer time. ;-)) pgpCy1acyE8mg.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0.24 handling LDAP responses incorrectly
On Wed, 2008-04-09 at 17:54 +0200, Volker Lendecke wrote: On Wed, Apr 09, 2008 at 11:40:33AM -0400, Adam Tauno Williams wrote: How are these policies exactly defined in LDAP? Are they visible for LDAP clients? It's an explicit entry in LDAP: ppolicy support in Samba would be awesome. Would make PCI/DSS (and other regulatory compliance) *much* easier for shops using a Samba PDC. http://www.openldap.org/software/man.cgi?query=slapo-ppolicy Ok, that looks doable. Problem is as always developer time. I'd be happy to review patches though. FYI: we are discussing for a new IETF blessed RFC proposal for a standard way to handle password policies in LDAP. Nothing implemented in servers so far of course, but better to take that in account if someone is going to write a patch so that it will be easier to switch to the standard if we get one at the end of the process. Simo. -- Simo Sorce Samba Team GPL Compliance Officer [EMAIL PROTECTED] Senior Software Engineer at Red Hat Inc. [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0.24 handling LDAP responses incorrectly
On Wed, 2008-04-09 at 11:57 -0400, simo wrote: On Wed, 2008-04-09 at 17:54 +0200, Volker Lendecke wrote: On Wed, Apr 09, 2008 at 11:40:33AM -0400, Adam Tauno Williams wrote: How are these policies exactly defined in LDAP? Are they visible for LDAP clients? It's an explicit entry in LDAP: ppolicy support in Samba would be awesome. Would make PCI/DSS (and other regulatory compliance) *much* easier for shops using a Samba PDC. http://www.openldap.org/software/man.cgi?query=slapo-ppolicy Ok, that looks doable. Problem is as always developer time. I'd be happy to review patches though. FYI: we are discussing for a new IETF blessed RFC proposal for a standard way to handle password policies in LDAP. Nothing implemented in servers so far of course, but better to take that in account if someone is going to write a patch so that it will be easier to switch to the standard if we get one at the end of the process. This is different than the existing one? From the ppolicy man page: The ppolicy overlay is an implementation of the most recent IETF Pass- word Policy proposal for LDAP. http://tools.ietf.org/draft/draft-behera-ldap-password-policy/draft-behera-ldap-password-policy-09.txt -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0.24 handling LDAP responses incorrectly
On Wed, 2008-04-09 at 15:11 -0400, Adam Tauno Williams wrote: On Wed, 2008-04-09 at 11:57 -0400, simo wrote: On Wed, 2008-04-09 at 17:54 +0200, Volker Lendecke wrote: On Wed, Apr 09, 2008 at 11:40:33AM -0400, Adam Tauno Williams wrote: How are these policies exactly defined in LDAP? Are they visible for LDAP clients? It's an explicit entry in LDAP: ppolicy support in Samba would be awesome. Would make PCI/DSS (and other regulatory compliance) *much* easier for shops using a Samba PDC. http://www.openldap.org/software/man.cgi?query=slapo-ppolicy Ok, that looks doable. Problem is as always developer time. I'd be happy to review patches though. FYI: we are discussing for a new IETF blessed RFC proposal for a standard way to handle password policies in LDAP. Nothing implemented in servers so far of course, but better to take that in account if someone is going to write a patch so that it will be easier to switch to the standard if we get one at the end of the process. This is different than the existing one? From the ppolicy man page: The ppolicy overlay is an implementation of the most recent IETF Pass- word Policy proposal for LDAP. http://tools.ietf.org/draft/draft-behera-ldap-password-policy/draft-behera-ldap-password-policy-09.txt Yes it is different (although the new one is based on the Behera one), this is the current one: http://www.ietf.org/internet-drafts/draft-zeilenga-ldap-passwords-00.txt Simo. -- Simo Sorce Samba Team GPL Compliance Officer [EMAIL PROTECTED] Senior Software Engineer at Red Hat Inc. [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0.24 handling LDAP responses incorrectly
Volker Lendecke wrote: On Mon, Apr 07, 2008 at 03:19:00PM -0400, Ryan Steele wrote: It's not defined in my Samba source, but I guess that was the wrong place to look. On my system, /usr/include/ldap.h does in fact have that defined. However, Samba still returns NT_STATUS_UNSUCCESSFUL, and Windows still reports that the password couldn't be changed because the domain was unavailable... have I zigged where I should've zagged, or is Samba not setting rc properly when it gets the response from LDAP? Please check that your LDAP server indeed does return 0x13 over the 389 connection. You might also add a DEBUG statement right above the #if defined(LDAP_CONSTRAINT_VIOLATION) to check what smbd sees. That's at least what I would do. Volker My initial process was flawed (the makefile I was using was pointing to the wrong source tree). I have now gotten the new code in pdb_ldap.c working, but there's still a slight issue. It returns NT_STATUS_PASSWORD_RESTRICTION as expected, but instead of passing back the message that LDAP sends, which is: [2008/04/08 05:35:26, 10] lib/smbldap.c:smbldap_extended_operation(1472) Extended operation failed with error: Constraint violation (Password fails quality checking policy) [2008/04/08 05:35:26, 0] passdb/pdb_ldap.c:ldapsam_modify_entry(1644) ldapsam_modify_entry: LDAP Password could not be changed for user tester: Constraint violation Password fails quality checking policy ...it returns Your password must be at least 5 characters, cannot repeat any of your previous 0 passwords and must be at least 0 days old. Please type a different password. Type a password that meets these requirements in both text boxes. Is there any way to get Samba to use what it's being given by LDAP, instead of using these values? I'm using ldapsam:ldap://server as my passdb backend, so I'm not sure where it's actually getting those from, but it's not what the users are being restricted by and I'd like the error messages to reflect the LDAP restrictions that it's passing back to Samba. Thanks as always for your help and insight, Ryan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0.24 handling LDAP responses incorrectly
Volker Lendecke wrote: On Mon, Apr 07, 2008 at 03:19:00PM -0400, Ryan Steele wrote: It's not defined in my Samba source, but I guess that was the wrong place to look. On my system, /usr/include/ldap.h does in fact have that defined. However, Samba still returns NT_STATUS_UNSUCCESSFUL, and Windows still reports that the password couldn't be changed because the domain was unavailable... have I zigged where I should've zagged, or is Samba not setting rc properly when it gets the response from LDAP? Please check that your LDAP server indeed does return 0x13 over the 389 connection. You might also add a DEBUG statement right above the #if defined(LDAP_CONSTRAINT_VIOLATION) to check what smbd sees. That's at least what I would do. Volker My initial process for building the binary package was flawed (the makefile was using the wrong source tree). After correcting that, the new code has been inserted, and it is successfully returning NT_STATUS_PASSWORD_RESTRICTION in pdb_ldap.c. However, there is a slight problem. Instead of showing the user the message that LDAP is passing back (and which Samba receives) which is: [2008/04/08 05:35:26, 10] lib/smbldap.c:smbldap_extended_operation(1472) Extended operation failed with error: Constraint violation (Password fails quality checking policy) [2008/04/08 05:35:26, 0] passdb/pdb_ldap.c:ldapsam_modify_entry(1644) ldapsam_modify_entry: LDAP Password could not be changed for user tester: Constraint violation Password fails quality checking policy ...it returns Your password must be at least 5 characters, cannot repeat any of your previous 0 passwords and must be at least 0 days old. Please type a different password. Type a password that meets these requirements in both text boxes. Is it possible to have Samba convey to the user the message that LDAP returns, instead of returning the aformentioned message? I want the error the users see to reflect why they're actually being denied a password change. I'm using ldapsam:ldap://server as my passdb backend, so I'm not sure why it's showing the user this message instead. I see I can edit the values that Samba is showing the user with pdbedit, but I shouldn't need to edit that - my password policy is defined in LDAP, and those are the message I'd like the users to see. Thanks as always for your help and insight, Ryan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0.24 handling LDAP responses incorrectly
Volker Lendecke wrote: On Fri, Apr 04, 2008 at 04:47:56PM -0400, John Drescher wrote: I think the bug/problem is that this message is being displayed instead of Password could not be changed for user tester: Constraint violation and does not pass required number of strength checks (1 of 3). Current 3.2 has the attached code. Might help for you. Volker Adding: #if defined(LDAP_CONSTRAINT_VIOLATION) if (rc == LDAP_CONSTRAINT_VIOLATION) return NT_STATUS_PASSWORD_RESTRICTION; #endif ...to pdb_ldap.c didn't seem to change the behavior at all. I suspect it's because LDAP_CONSTRAINT_VIOLATION isn't defined anywhere in my 3.0.24 source, though I could certainly be wrong. I'm grabbing the latest source from git to see where that's defined, but if anybody wants to head me off at the pass with the information, it's certainly welcome. Thanks, Ryan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0.24 handling LDAP responses incorrectly
On Mon, Apr 07, 2008 at 02:03:32PM -0400, Ryan Steele wrote: #if defined(LDAP_CONSTRAINT_VIOLATION) if (rc == LDAP_CONSTRAINT_VIOLATION) return NT_STATUS_PASSWORD_RESTRICTION; #endif ...to pdb_ldap.c didn't seem to change the behavior at all. I suspect it's because LDAP_CONSTRAINT_VIOLATION isn't defined anywhere in my 3.0.24 source, though I could certainly be wrong. I'm grabbing the latest source from git to see where that's defined, but if anybody wants to head me off at the pass with the information, it's certainly welcome. If your LDAP libs don't have that define, you might try to use the value from OpenLDAP: #define LDAP_CONSTRAINT_VIOLATION 0x13 Volker pgpNsUosNVbTR.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0.24 handling LDAP responses incorrectly
Volker Lendecke wrote: On Mon, Apr 07, 2008 at 02:03:32PM -0400, Ryan Steele wrote: #if defined(LDAP_CONSTRAINT_VIOLATION) if (rc == LDAP_CONSTRAINT_VIOLATION) return NT_STATUS_PASSWORD_RESTRICTION; #endif ...to pdb_ldap.c didn't seem to change the behavior at all. I suspect it's because LDAP_CONSTRAINT_VIOLATION isn't defined anywhere in my 3.0.24 source, though I could certainly be wrong. I'm grabbing the latest source from git to see where that's defined, but if anybody wants to head me off at the pass with the information, it's certainly welcome. If your LDAP libs don't have that define, you might try to use the value from OpenLDAP: #define LDAP_CONSTRAINT_VIOLATION 0x13 Volker It's not defined in my Samba source, but I guess that was the wrong place to look. On my system, /usr/include/ldap.h does in fact have that defined. However, Samba still returns NT_STATUS_UNSUCCESSFUL, and Windows still reports that the password couldn't be changed because the domain was unavailable... have I zigged where I should've zagged, or is Samba not setting rc properly when it gets the response from LDAP? Thanks, Ryan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0.24 handling LDAP responses incorrectly
On Mon, Apr 07, 2008 at 03:19:00PM -0400, Ryan Steele wrote: It's not defined in my Samba source, but I guess that was the wrong place to look. On my system, /usr/include/ldap.h does in fact have that defined. However, Samba still returns NT_STATUS_UNSUCCESSFUL, and Windows still reports that the password couldn't be changed because the domain was unavailable... have I zigged where I should've zagged, or is Samba not setting rc properly when it gets the response from LDAP? Please check that your LDAP server indeed does return 0x13 over the 389 connection. You might also add a DEBUG statement right above the #if defined(LDAP_CONSTRAINT_VIOLATION) to check what smbd sees. That's at least what I would do. Volker pgpjjJRceeDKq.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0.24 handling LDAP responses incorrectly
On Fri, Apr 04, 2008 at 04:47:56PM -0400, John Drescher wrote: I think the bug/problem is that this message is being displayed instead of Password could not be changed for user tester: Constraint violation and does not pass required number of strength checks (1 of 3). Current 3.2 has the attached code. Might help for you. Volker diff --git a/source/passdb/pdb_ldap.c b/source/passdb/pdb_ldap.c index 54c2500..c07d59a 100644 --- a/source/passdb/pdb_ldap.c +++ b/source/passdb/pdb_ldap.c @@ -1644,6 +1644,10 @@ static NTSTATUS ldapsam_modify_entry(struct pdb_methods *my_methods, pdb_get_username(newpwd), ldap_err2string(rc), ld_error?ld_error:unknown)); SAFE_FREE(ld_error); ber_bvfree(bv); +#if defined(LDAP_CONSTRAINT_VIOLATION) + if (rc == LDAP_CONSTRAINT_VIOLATION) + return NT_STATUS_PASSWORD_RESTRICTION; +#endif return NT_STATUS_UNSUCCESSFUL; } else { DEBUG(3,(ldapsam_modify_entry: LDAP Password changed for user %s\n,pdb_get_username(newpwd))); pgpVwFjpxNj82.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0.24 handling LDAP responses incorrectly
On Fri, Apr 4, 2008 at 4:41 PM, Ryan Steele [EMAIL PROTECTED] wrote: Hey list, Recently I've gotten my Samba PDC to successfully use an OpenLDAP backend, while using the smbk5pwd and ppolicy overlays for OpenLDAP. However, Samba appears to incorrectly handle responses from LDAP's ppolicy overlay, even though it very clearly receives them. If I enter in a password (be it through Ctrl+Alt+Delete or when a password expires and the user is prompted at logon) that violates the ppolicy constraints, I get one of two scenarios. 1. If logging is turned off in OpenLDAP (loglevel 0 in slapd.conf), Windows reports the password change was successful (Your password has been changed dialog box), when in fact none of the attributes have changed (including but not limited to sambaNTPassword, sambaLMPassword. 2. If logging is turned on (anything other than 0 in the slapd.conf), Windows reports that The system cannot change your password now because the domain DOMAINNAME is unavailable. While this is certainly not the case, at least in this situation the user is informed that the password change did not work. I can see that LDAP does indeed pass back a response to Samba; from the LDAP logs: Apr 4 10:47:37 servername slapd[12709]: do_extended Apr 4 10:47:37 servername slapd[12709]: dnPrettyNormal: uid=tester,ou=Users,dc=example,dc=com Apr 4 10:47:37 servername slapd[12709]: dnPrettyNormal: uid=tester,ou=Users,dc=example,dc=com, uid=tester,ou=users,dc=example,dc=com Apr 4 10:47:37 servername slapd[12709]: bdb_dn2entry(uid=tester,ou=users,dc=example,dc=com) Apr 4 10:47:37 servername slapd[12709]: bdb_dn2entry(uid=tester,ou=users,dc=example,dc=com) Apr 4 10:47:37 servername slapd[12709]: bdb_entry_get: rc=0 Apr 4 10:47:37 servername slapd[12709]: bdb_dn2entry(uid=tester,ou=users,dc=example,dc=com) Apr 4 10:47:37 servername slapd[12709]: bdb_entry_get: rc=0 Apr 4 10:47:37 servername slapd[12709]: bdb_dn2entry(cn=password policy,ou=policies,dc=example,dc=com) Apr 4 10:47:37 servername slapd[12709]: bdb_entry_get: rc=0 Apr 4 10:47:37 servername slapd[12709]: check_password_quality: module error: (check_password.so) Password for dn=uid=tester,ou=Users,dc=example,dc=com does not pass required number of strength checks (1 of 3).[1] Apr 4 10:47:37 servername slapd[12709]: send_ldap_result: conn=76 op=24 p=3 Apr 4 10:47:37 servername slapd[12709]: send_ldap_extended: err=19 oid= len=0 Apr 4 10:47:37 servername slapd[12709]: send_ldap_response: msgid=25 tag=120 err=19 Apr 4 10:47:42 servername slapd[12709]: connection_get(19): got connid=77 Apr 4 10:47:42 servername slapd[12709]: connection_read(19): checking for input on id=77 Apr 4 10:47:42 servername slapd[12709]: ber_get_next on fd 19 failed errno=0 (Success) Apr 4 10:47:42 servername slapd[12709]: connection_closing: readying conn=77 sd=19 for close Apr 4 10:47:42 servername slapd[12709]: connection_close: conn=77 sd=-1 Apr 4 10:47:42 servername slapd[12709]: connection_get(13): got connid=76 Apr 4 10:47:42 servername slapd[12709]: connection_read(13): checking for input on id=76 Apr 4 10:47:42 servername slapd[12709]: ber_get_next on fd 13 failed errno=0 (Success) Apr 4 10:47:42 servername slapd[12709]: connection_closing: readying conn=76 sd=13 for close Apr 4 10:47:42 servername slapd[12709]: connection_close: conn=76 sd=-1 ...and, Samba does receive this error message intact. From the Samba logs: [2008/04/04 12:11:54, 4] passdb/pdb_ldap.c:ldapsam_update_sam_account(1777) ldapsam_update_sam_account: user tester to be modified has dn: uid=tester,ou=Users,dc=example,dc=com [2008/04/04 12:11:54, 2] passdb/pdb_ldap.c:init_ldap_from_sam(965) init_ldap_from_sam: Setting entry for user: tester [2008/04/04 12:11:54, 10] lib/smbldap.c:smbldap_make_mod(520) smbldap_make_mod: deleting attribute |sambaPwdCanChange| values |1207320457| [2008/04/04 12:11:54, 10] lib/smbldap.c:smbldap_make_mod(529) smbldap_make_mod: adding attribute |sambaPwdCanChange| value |1207325514| [2008/04/04 12:11:54, 10] lib/smbldap.c:smbldap_make_mod(504) smbldap_make_mod: attribute |sambaPwdMustChange| not changed. [2008/04/04 12:11:54, 5] lib/smbldap.c:smbldap_modify(1363) smbldap_modify: dn = [uid=tester,ou=Users,dc=example,dc=com] [2008/04/04 12:11:54, 10] lib/smbldap.c:smbldap_extended_operation(1472) Extended operation failed with error: Constraint violation (Password fails quality checking policy) [2008/04/04 12:11:54, 0] passdb/pdb_ldap.c:ldapsam_modify_entry(1644) ldapsam_modify_entry: LDAP Password could not be changed for user tester: Constraint violation Password fails quality checking policy [2008/04/04 12:11:54, 3] smbd/sec_ctx.c:pop_sec_ctx(339) pop_sec_ctx (1043, 513) - sec_ctx_stack_ndx = 1 [2008/04/04 12:11:54, 5] rpc_parse/parse_samr.c:init_samr_r_chgpasswd_user(7534)