Ryan Steele
2008-Apr-04 20:43 UTC
[Samba] Samba 3.0.24 handling LDAP responses incorrectly
Hey list,
Recently I've gotten my Samba PDC to successfully use an OpenLDAP
backend, while using the smbk5pwd and ppolicy overlays for OpenLDAP.
However, Samba appears to incorrectly handle responses from LDAP's
ppolicy overlay, even though it very clearly receives them. If I enter
in a password (be it through Ctrl+Alt+Delete or when a password expires
and the user is prompted at logon) that violates the ppolicy
constraints, I get one of two scenarios.
1. If logging is turned off in OpenLDAP (loglevel 0 in slapd.conf),
Windows reports the password change was successful ("Your password has
been changed" dialog box), when in fact none of the attributes have
changed (including but not limited to sambaNTPassword, sambaLMPassword.
2. If logging is turned on (anything other than 0 in the slapd.conf),
Windows reports that "The system cannot change your password now because
the domain DOMAINNAME is unavailable." While this is certainly not the
case, at least in this situation the user is informed that the password
change did not work.
I can see that LDAP does indeed pass back a response to Samba; from the
LDAP logs:
Apr 4 10:47:37 servername slapd[12709]: do_extended
Apr 4 10:47:37 servername slapd[12709]: >>> dnPrettyNormal:
<uid=tester,ou=Users,dc=example,dc=com>
Apr 4 10:47:37 servername slapd[12709]: <<< dnPrettyNormal:
<uid=tester,ou=Users,dc=example,dc=com>,
<uid=tester,ou=users,dc=example,dc=com>
Apr 4 10:47:37 servername slapd[12709]:
bdb_dn2entry("uid=tester,ou=users,dc=example,dc=com")
Apr 4 10:47:37 servername slapd[12709]:
bdb_dn2entry("uid=tester,ou=users,dc=example,dc=com")
Apr 4 10:47:37 servername slapd[12709]: bdb_entry_get: rc=0
Apr 4 10:47:37 servername slapd[12709]:
bdb_dn2entry("uid=tester,ou=users,dc=example,dc=com")
Apr 4 10:47:37 servername slapd[12709]: bdb_entry_get: rc=0
Apr 4 10:47:37 servername slapd[12709]: bdb_dn2entry("cn=password
policy,ou=policies,dc=example,dc=com")
Apr 4 10:47:37 servername slapd[12709]: bdb_entry_get: rc=0
Apr 4 10:47:37 servername slapd[12709]: check_password_quality: module
error: (check_password.so) Password for
dn="uid=tester,ou=Users,dc=example,dc=com" does not pass required
number
of strength checks (1 of 3).[1]
Apr 4 10:47:37 servername slapd[12709]: send_ldap_result: conn=76 op=24 p=3
Apr 4 10:47:37 servername slapd[12709]: send_ldap_extended: err=19 oidlen=0
Apr 4 10:47:37 servername slapd[12709]: send_ldap_response: msgid=25
tag=120 err=19
Apr 4 10:47:42 servername slapd[12709]: connection_get(19): got connid=77
Apr 4 10:47:42 servername slapd[12709]: connection_read(19): checking
for input on id=77
Apr 4 10:47:42 servername slapd[12709]: ber_get_next on fd 19 failed
errno=0 (Success)
Apr 4 10:47:42 servername slapd[12709]: connection_closing: readying
conn=77 sd=19 for close
Apr 4 10:47:42 servername slapd[12709]: connection_close: conn=77 sd=-1
Apr 4 10:47:42 servername slapd[12709]: connection_get(13): got connid=76
Apr 4 10:47:42 servername slapd[12709]: connection_read(13): checking
for input on id=76
Apr 4 10:47:42 servername slapd[12709]: ber_get_next on fd 13 failed
errno=0 (Success)
Apr 4 10:47:42 servername slapd[12709]: connection_closing: readying
conn=76 sd=13 for close
Apr 4 10:47:42 servername slapd[12709]: connection_close: conn=76 sd=-1
...and, Samba does receive this error message intact. From the Samba logs:
[2008/04/04 12:11:54, 4] passdb/pdb_ldap.c:ldapsam_update_sam_account(1777)
ldapsam_update_sam_account: user tester to be modified has dn:
uid=tester,ou=Users,dc=example,dc=com
[2008/04/04 12:11:54, 2] passdb/pdb_ldap.c:init_ldap_from_sam(965)
init_ldap_from_sam: Setting entry for user: tester
[2008/04/04 12:11:54, 10] lib/smbldap.c:smbldap_make_mod(520)
smbldap_make_mod: deleting attribute |sambaPwdCanChange| values
|1207320457|
[2008/04/04 12:11:54, 10] lib/smbldap.c:smbldap_make_mod(529)
smbldap_make_mod: adding attribute |sambaPwdCanChange| value |1207325514|
[2008/04/04 12:11:54, 10] lib/smbldap.c:smbldap_make_mod(504)
smbldap_make_mod: attribute |sambaPwdMustChange| not changed.
[2008/04/04 12:11:54, 5] lib/smbldap.c:smbldap_modify(1363)
smbldap_modify: dn => [uid=tester,ou=Users,dc=example,dc=com]
[2008/04/04 12:11:54, 10] lib/smbldap.c:smbldap_extended_operation(1472)
Extended operation failed with error: Constraint violation (Password
fails quality checking policy)
[2008/04/04 12:11:54, 0] passdb/pdb_ldap.c:ldapsam_modify_entry(1644)
ldapsam_modify_entry: LDAP Password could not be changed for user
tester: Constraint violation
Password fails quality checking policy
[2008/04/04 12:11:54, 3] smbd/sec_ctx.c:pop_sec_ctx(339)
pop_sec_ctx (1043, 513) - sec_ctx_stack_ndx = 1
[2008/04/04 12:11:54, 5]
rpc_parse/parse_samr.c:init_samr_r_chgpasswd_user(7534)
init_samr_r_chgpasswd_user
[2008/04/04 12:11:54, 5] rpc_server/srv_samr_nt.c:_samr_chgpasswd_user(1480)
_samr_chgpasswd_user: 1480
[2008/04/04 12:11:54, 5] rpc_parse/parse_prs.c:prs_debug(84)
000000 samr_io_r_chgpasswd_user
[2008/04/04 12:11:54, 5] rpc_parse/parse_prs.c:prs_ntstatus(763)
0000 status: NT_STATUS_UNSUCCESSFUL
Yet, the error message is: "The system cannot change your password now
because the domain DOMAINNAME is unavailable." I wonder why Samba
doesn't pass back the error verbatim to the client? Is this a bug, and
is it patchable?
Respectfully,
Ryan
John Drescher
2008-Apr-04 20:48 UTC
[Samba] Samba 3.0.24 handling LDAP responses incorrectly
On Fri, Apr 4, 2008 at 4:41 PM, Ryan Steele <rsteele@archer-group.com> wrote:> Hey list, > > Recently I've gotten my Samba PDC to successfully use an OpenLDAP > backend, while using the smbk5pwd and ppolicy overlays for OpenLDAP. > However, Samba appears to incorrectly handle responses from LDAP's > ppolicy overlay, even though it very clearly receives them. If I enter > in a password (be it through Ctrl+Alt+Delete or when a password expires > and the user is prompted at logon) that violates the ppolicy > constraints, I get one of two scenarios. > > 1. If logging is turned off in OpenLDAP (loglevel 0 in slapd.conf), > Windows reports the password change was successful ("Your password has > been changed" dialog box), when in fact none of the attributes have > changed (including but not limited to sambaNTPassword, sambaLMPassword. > > 2. If logging is turned on (anything other than 0 in the slapd.conf), > Windows reports that "The system cannot change your password now because > the domain DOMAINNAME is unavailable." While this is certainly not the > case, at least in this situation the user is informed that the password > change did not work. > > I can see that LDAP does indeed pass back a response to Samba; from the > LDAP logs: > > Apr 4 10:47:37 servername slapd[12709]: do_extended > Apr 4 10:47:37 servername slapd[12709]: >>> dnPrettyNormal: > <uid=tester,ou=Users,dc=example,dc=com> > Apr 4 10:47:37 servername slapd[12709]: <<< dnPrettyNormal: > <uid=tester,ou=Users,dc=example,dc=com>, > <uid=tester,ou=users,dc=example,dc=com> > Apr 4 10:47:37 servername slapd[12709]: > bdb_dn2entry("uid=tester,ou=users,dc=example,dc=com") > Apr 4 10:47:37 servername slapd[12709]: > bdb_dn2entry("uid=tester,ou=users,dc=example,dc=com") > Apr 4 10:47:37 servername slapd[12709]: bdb_entry_get: rc=0 > Apr 4 10:47:37 servername slapd[12709]: > bdb_dn2entry("uid=tester,ou=users,dc=example,dc=com") > Apr 4 10:47:37 servername slapd[12709]: bdb_entry_get: rc=0 > Apr 4 10:47:37 servername slapd[12709]: bdb_dn2entry("cn=password > policy,ou=policies,dc=example,dc=com") > Apr 4 10:47:37 servername slapd[12709]: bdb_entry_get: rc=0 > Apr 4 10:47:37 servername slapd[12709]: check_password_quality: module > error: (check_password.so) Password for > dn="uid=tester,ou=Users,dc=example,dc=com" does not pass required number > of strength checks (1 of 3).[1] > Apr 4 10:47:37 servername slapd[12709]: send_ldap_result: conn=76 op=24 p=3 > Apr 4 10:47:37 servername slapd[12709]: send_ldap_extended: err=19 oid> len=0 > Apr 4 10:47:37 servername slapd[12709]: send_ldap_response: msgid=25 > tag=120 err=19 > Apr 4 10:47:42 servername slapd[12709]: connection_get(19): got connid=77 > Apr 4 10:47:42 servername slapd[12709]: connection_read(19): checking > for input on id=77 > Apr 4 10:47:42 servername slapd[12709]: ber_get_next on fd 19 failed > errno=0 (Success) > Apr 4 10:47:42 servername slapd[12709]: connection_closing: readying > conn=77 sd=19 for close > Apr 4 10:47:42 servername slapd[12709]: connection_close: conn=77 sd=-1 > Apr 4 10:47:42 servername slapd[12709]: connection_get(13): got connid=76 > Apr 4 10:47:42 servername slapd[12709]: connection_read(13): checking > for input on id=76 > Apr 4 10:47:42 servername slapd[12709]: ber_get_next on fd 13 failed > errno=0 (Success) > Apr 4 10:47:42 servername slapd[12709]: connection_closing: readying > conn=76 sd=13 for close > Apr 4 10:47:42 servername slapd[12709]: connection_close: conn=76 sd=-1 > > ...and, Samba does receive this error message intact. From the Samba logs: > > [2008/04/04 12:11:54, 4] passdb/pdb_ldap.c:ldapsam_update_sam_account(1777) > ldapsam_update_sam_account: user tester to be modified has dn: > uid=tester,ou=Users,dc=example,dc=com > [2008/04/04 12:11:54, 2] passdb/pdb_ldap.c:init_ldap_from_sam(965) > init_ldap_from_sam: Setting entry for user: tester > [2008/04/04 12:11:54, 10] lib/smbldap.c:smbldap_make_mod(520) > smbldap_make_mod: deleting attribute |sambaPwdCanChange| values > |1207320457| > [2008/04/04 12:11:54, 10] lib/smbldap.c:smbldap_make_mod(529) > smbldap_make_mod: adding attribute |sambaPwdCanChange| value |1207325514| > [2008/04/04 12:11:54, 10] lib/smbldap.c:smbldap_make_mod(504) > smbldap_make_mod: attribute |sambaPwdMustChange| not changed. > [2008/04/04 12:11:54, 5] lib/smbldap.c:smbldap_modify(1363) > smbldap_modify: dn => [uid=tester,ou=Users,dc=example,dc=com] > [2008/04/04 12:11:54, 10] lib/smbldap.c:smbldap_extended_operation(1472) > Extended operation failed with error: Constraint violation (Password > fails quality checking policy) > [2008/04/04 12:11:54, 0] passdb/pdb_ldap.c:ldapsam_modify_entry(1644) > ldapsam_modify_entry: LDAP Password could not be changed for user > tester: Constraint violation > Password fails quality checking policy > [2008/04/04 12:11:54, 3] smbd/sec_ctx.c:pop_sec_ctx(339) > pop_sec_ctx (1043, 513) - sec_ctx_stack_ndx = 1 > [2008/04/04 12:11:54, 5] > rpc_parse/parse_samr.c:init_samr_r_chgpasswd_user(7534) > init_samr_r_chgpasswd_user > [2008/04/04 12:11:54, 5] rpc_server/srv_samr_nt.c:_samr_chgpasswd_user(1480) > _samr_chgpasswd_user: 1480 > [2008/04/04 12:11:54, 5] rpc_parse/parse_prs.c:prs_debug(84) > 000000 samr_io_r_chgpasswd_user > [2008/04/04 12:11:54, 5] rpc_parse/parse_prs.c:prs_ntstatus(763) > 0000 status: NT_STATUS_UNSUCCESSFUL > > Yet, the error message is: "The system cannot change your password now > because the domain DOMAINNAME is unavailable." I wonder why Samba > doesn't pass back the error verbatim to the client? Is this a bug, and > is it patchable? >I think the bug/problem is that this message is being displayed instead of "Password could not be changed for user tester: Constraint violation" and "does not pass required number of strength checks (1 of 3)." John
Volker Lendecke
2008-Apr-05 16:18 UTC
[Samba] Samba 3.0.24 handling LDAP responses incorrectly
Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.samba.org/archive/samba/attachments/20080405/dd7a17ad/attachment.bin