Hi
We have some Samba servers using LDAP (389 DS) as backend. In the LDAP
server, we have defined some policies to make the passwords stronger. When a
user tries to change his password (Control-Alt-Del), this message appears in
the LOGs:
==> /var/log/samba/xptest <=[2010/06/28 12:26:26, 2]
auth/auth.c:check_ntlm_password(309)
check_ntlm_password: authentication for user [10000001S] -> [10000001S]
-> [10000001S] succeeded
[2010/06/28 12:26:26, 2] passdb/pdb_ldap.c:init_sam_from_ldap(545)
init_sam_from_ldap: Entry found for user: 10000001S
[2010/06/28 12:26:26, 2] passdb/pdb_ldap.c:init_group_from_ldap(2167)
init_group_from_ldap: Entry found for group: 10001
[2010/06/28 12:26:37, 2] passdb/pdb_ldap.c:init_group_from_ldap(2167)
init_group_from_ldap: Entry found for group: 10001
[2010/06/28 12:26:38, 2] passdb/pdb_ldap.c:init_ldap_from_sam(972)
init_ldap_from_sam: Setting entry for user: 10000001S
[2010/06/28 12:26:38, 0] passdb/pdb_ldap.c:ldapsam_modify_entry(1651)
ldapsam_modify_entry: LDAP Password could not be changed for user
10000001S: Constraint violation
Failed to update password
==> /var/log/dirsrv/slapd-pruebas/audit <=time: 20100628122637
dn: uid=10000001s,XXXXXXXXXXXXX
changetype: modify
delete: sambaLMPassword
sambaLMPassword: 0182BD0BD4444BF836077A718CCDF409
-
add: sambaLMPassword
sambaLMPassword: 39EAD569B79C7EA2C2265B23734E0DAC
-
delete: sambaNTPassword
sambaNTPassword: 259745CB123A52AA2E693AAACCA2DB52
-
add: sambaNTPassword
sambaNTPassword: 8EC60ADEA316D957D1CF532C5841758D
-
delete: sambaPwdLastSet
sambaPwdLastSet: 1277720109
-
add: sambaPwdLastSet
sambaPwdLastSet: 1277720798
-
replace: modifiersname
modifiersname: uid=adminsamba,XXXXXXXXXXX
-
replace: modifytimestamp
modifytimestamp: 20100628102637Z
-
So, the Samba passwords are changed, but the unix password is not changed
because the LDAP rejects it because it is not as string as required. Is
there any way to avoid this? Shouldn't the unix password be changed before
the samba passwords to check if the LDAP server accepts it?
Regards.
Well, if this can help anybody, i found a workaround that is not perfect, but works fine. http://lists.fedoraproject.org/pipermail/389-users/2010-June/011685.html Regards. El 28 de junio de 2010 12:40, Juan Asensio S?nchez <okelet at gmail.com>escribi?:> Hi > > We have some Samba servers using LDAP (389 DS) as backend. In the LDAP > server, we have defined some policies to make the passwords stronger. When a > user tries to change his password (Control-Alt-Del), this message appears in > the LOGs: > > ==> /var/log/samba/xptest <=> [2010/06/28 12:26:26, 2] auth/auth.c:check_ntlm_password(309) > check_ntlm_password: authentication for user [10000001S] -> [10000001S] > -> [10000001S] succeeded > [2010/06/28 12:26:26, 2] passdb/pdb_ldap.c:init_sam_from_ldap(545) > init_sam_from_ldap: Entry found for user: 10000001S > [2010/06/28 12:26:26, 2] passdb/pdb_ldap.c:init_group_from_ldap(2167) > init_group_from_ldap: Entry found for group: 10001 > [2010/06/28 12:26:37, 2] passdb/pdb_ldap.c:init_group_from_ldap(2167) > init_group_from_ldap: Entry found for group: 10001 > [2010/06/28 12:26:38, 2] passdb/pdb_ldap.c:init_ldap_from_sam(972) > init_ldap_from_sam: Setting entry for user: 10000001S > [2010/06/28 12:26:38, 0] passdb/pdb_ldap.c:ldapsam_modify_entry(1651) > ldapsam_modify_entry: LDAP Password could not be changed for user > 10000001S: Constraint violation > Failed to update password > > > ==> /var/log/dirsrv/slapd-pruebas/audit <=> time: 20100628122637 > dn: uid=10000001s,XXXXXXXXXXXXX > changetype: modify > delete: sambaLMPassword > sambaLMPassword: 0182BD0BD4444BF836077A718CCDF409 > - > add: sambaLMPassword > sambaLMPassword: 39EAD569B79C7EA2C2265B23734E0DAC > - > delete: sambaNTPassword > sambaNTPassword: 259745CB123A52AA2E693AAACCA2DB52 > - > add: sambaNTPassword > sambaNTPassword: 8EC60ADEA316D957D1CF532C5841758D > - > delete: sambaPwdLastSet > sambaPwdLastSet: 1277720109 > - > add: sambaPwdLastSet > sambaPwdLastSet: 1277720798 > - > replace: modifiersname > modifiersname: uid=adminsamba,XXXXXXXXXXX > - > replace: modifytimestamp > modifytimestamp: 20100628102637Z > - > > So, the Samba passwords are changed, but the unix password is not changed > because the LDAP rejects it because it is not as string as required. Is > there any way to avoid this? Shouldn't the unix password be changed before > the samba passwords to check if the LDAP server accepts it? > > Regards. >
Hello Samba Friend, I'm sorry that I cannot help you in finding an answer to your question, but I'm rather interested in how you can add password policies to the LDAP sever. Is this openldap? and how did you implement the policies? On Mon, Jun 28, 2010 at 12:40:09PM +0200, Juan Asensio S??nchez wrote:> Hi > > We have some Samba servers using LDAP (389 DS) as backend. In the LDAP > server, we have defined some policies to make the passwords stronger. When a > user tries to change his password (Control-Alt-Del), this message appears in > the LOGs: > > ==> /var/log/samba/xptest <=> [2010/06/28 12:26:26, 2] auth/auth.c:check_ntlm_password(309) > check_ntlm_password: authentication for user [10000001S] -> [10000001S] > -> [10000001S] succeeded > [2010/06/28 12:26:26, 2] passdb/pdb_ldap.c:init_sam_from_ldap(545) > init_sam_from_ldap: Entry found for user: 10000001S > [2010/06/28 12:26:26, 2] passdb/pdb_ldap.c:init_group_from_ldap(2167) > init_group_from_ldap: Entry found for group: 10001 > [2010/06/28 12:26:37, 2] passdb/pdb_ldap.c:init_group_from_ldap(2167) > init_group_from_ldap: Entry found for group: 10001 > [2010/06/28 12:26:38, 2] passdb/pdb_ldap.c:init_ldap_from_sam(972) > init_ldap_from_sam: Setting entry for user: 10000001S > [2010/06/28 12:26:38, 0] passdb/pdb_ldap.c:ldapsam_modify_entry(1651) > ldapsam_modify_entry: LDAP Password could not be changed for user > 10000001S: Constraint violation > Failed to update password > > > ==> /var/log/dirsrv/slapd-pruebas/audit <=> time: 20100628122637 > dn: uid=10000001s,XXXXXXXXXXXXX > changetype: modify > delete: sambaLMPassword > sambaLMPassword: 0182BD0BD4444BF836077A718CCDF409 > - > add: sambaLMPassword > sambaLMPassword: 39EAD569B79C7EA2C2265B23734E0DAC > - > delete: sambaNTPassword > sambaNTPassword: 259745CB123A52AA2E693AAACCA2DB52 > - > add: sambaNTPassword > sambaNTPassword: 8EC60ADEA316D957D1CF532C5841758D > - > delete: sambaPwdLastSet > sambaPwdLastSet: 1277720109 > - > add: sambaPwdLastSet > sambaPwdLastSet: 1277720798 > - > replace: modifiersname > modifiersname: uid=adminsamba,XXXXXXXXXXX > - > replace: modifytimestamp > modifytimestamp: 20100628102637Z > - > > So, the Samba passwords are changed, but the unix password is not changed > because the LDAP rejects it because it is not as string as required. Is > there any way to avoid this? Shouldn't the unix password be changed before > the samba passwords to check if the LDAP server accepts it? > > Regards. > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba-- Met vriendelijke groeten, With kind regards, Mit freundlichen Gruessen, De jrus wah, Willy ************************************* Dr. W.K. Offermans CAT Postdoctoral Fellow CAT Catalytic Center Institut f?r Technische und Makromolekulare Chemie RWTH Aachen Worringerweg 1, Raum 38C-150 D-52074 Aachen, Germany Phone: +49 241 80 28592 Fax: +49 241 80 22593 Home: +31 45 544 49 44 Mobile: +31 681 15 87 68 e-mail: Willy at Offermans.Rompen.nl e-mail: Willy.Offermans at CatalyticCenter.RWTH-Aachen.de Powered by .... (__) \\\'',) \/ \ ^ .\._/_) www.FreeBSD.org
On 2010-06-28 at 12:40 +0200 Juan Asensio S?nchez sent off:> So, the Samba passwords are changed, but the unix password is not changed > because the LDAP rejects it because it is not as string as required. Is > there any way to avoid this? Shouldn't the unix password be changed before > the samba passwords to check if the LDAP server accepts it?this is also described in https://bugzilla.samba.org/show_bug.cgi?id=7101 can you please try out how well the patch from https://bugzilla.samba.org/attachment.cgi?id=5277 works for you? Thanks Bj?rn -- SerNet GmbH, Bahnhofsallee 1b, 37081 G?ttingen phone: +49-551-370000-0, fax: +49-551-370000-9 AG G?ttingen, HRB 2816, GF: Dr. Johannes Loxen