Hi Ryan,
> I'm using Samba 3.0.24 and OpenLDAP 2.3.30 (with the ppolicy and
> smbk5pwd overlays).
>
> While testing Samba as a PDC with an OpenLDAP backend, I've hit a snag
> on password change. I currently have the following in my smb.conf
> related to password changes:
>
> passwd program = /usr/bin/ldappasswd -x -W -S -D
> uid=%u,ou=Users,dc=example,dc=com
> passwd chat = "*Enter NEW password*" %n\n "*Confirm
NEW
> password*" %n\n "*Verify OLD password*" %o\n "*Password
changed*" \n
> passdb backend = ldapsam:ldap://127.0.0.1
Correct me if I'm wrong, but I thought that the password chat was
refering to some kind of Expect script to interact with the script
refered by the "password program" parameters (/usr/bin/ldappasswd in
your case). There is some more info on this in the smb.conf man page.
Cheers,
Denis
> I can change passwords, but there are a couple of things I've noticed
> that don't work properly.
>
> 1. My 'passwd chat' text isn't reflected on the Windows clients
on the
> domain. Instead, I get (when changing via ctrl+alt+delete or during
> domain logon if the password has expired):
>
> User name:
> Log on to:
> Old password:
> New password:
> Confirm new password:
>
> 2. The password requirements set forth by ppolicy (such as length,
> strength, and recently used passwords) don't seem to be adhered to. I
> can put in 'foobar' as the new password, change it to
'foobar1', change
> it back to 'foobar', and Samba will happily change the passwords.
While
> the change does take, and I can log in to the domain with 'foobar'
or
> 'foobar1' as the password, it's certainly not what I want.
Conversely,
> I get this desired results when invoking 'ldappasswd' from the
command-line:
>
> # Testing the weak password 'foobar'
> server:~# /usr/bin/ldappasswd -x -W -S -D
> uid=tester,ou=Users,dc=example,dc=com
> New password:
> Re-enter new password:
> Enter LDAP Password:
> Result: Constraint violation (19)
> Additional info: Password fails quality checking policy
>
> # Testing a password in the list of the last six passwords
> server:~# /usr/bin/ldappasswd -x -W -S -D
> uid=tester,ou=Users,dc=example,dc=com
> New password:
> Re-enter new password:
> Enter LDAP Password:
> Result: Constraint violation (19)
> Additional info: Password is in history of old passwords
>
> If I try putting in something like 'a' as the password, I get a
dialog
> box that says: "Your password must be at least 5 characters, cannot
> repeat any of your previous 0 passwords and must be at least 0 days
> old. Please type a different password. Type a password that meets
> these requirements in both text boxes." Where is this
text/requirement
> list coming from? And, how can I configure Samba such that it returns
> the desired errors (above) to the user?
>
> In the same vein, instead of having the sambaPasswordHistory attribute
> in LDAP reflect the old hashed passwords, I just get one entry which reads:
>
> sambaPasswordHistory:
> 0000000000000000000000000000000000000000000000000000000000000000
>
> I would very much appreciate any advice you folks might be able to offer.
>
> Thanks,
> Ryan
--
Denis Cardon
Tranquil IT Systems
44 bvd des pas enchant?s
44230 Saint S?bastien sur Loire
tel : +33 (0) 2.40.97.62.67
http://www.tranquil-it-systems.fr