samba - Dec 2023 - Samba 4.19.2: "Unwilling to perform" password change

On Sat, 16 Dec 2023 14:29:06 -0500
Joshua Kramer via samba <samba at lists.samba.org> wrote:
> Hello All,
> 
> I have a custom built version of Samba 4.19.2 running on Rocky Linux
> 9. When I attempt to change a password via LDAP, I get an error,
> "Unwilling to Perform".  In Google searches I found that this is
due
> to password complexity requirements.
The password complexity isn't the problem, the problem is that you
cannot change the unicode password over ldap, you have to use ssl
(ldaps).
 
Rowland

On Sat, 2023-12-16 at 20:28 +0000, Rowland Penny via samba
wrote:
> On Sat, 16 Dec 2023 14:29:06 -0500
> Joshua Kramer via samba <
> samba at lists.samba.org
> > wrote:
> 
> > Hello All,
> > 
> > I have a custom built version of Samba 4.19.2 running on Rocky
> > Linux
> > 9. When I attempt to change a password via LDAP, I get an error,
> > "Unwilling to Perform".  In Google searches I found that
this is
> > due
> > to password complexity requirements.
> 
> The password complexity isn't the problem, the problem is that you
> cannot change the unicode password over ldap, you have to use ssl
> (ldaps).
Or Kerberos/NTLM encryption, but these are harder to do with most
tools.

We did this to avoid exposure of the new passwords over LDAP.  We
perhaps should have allowed for the equally insecure "ldap server
require strong auth = no" but honestly I would prefer folks didn't do
that either.

We now match Windows behaviour.

Andrew Bartlett
 
-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead                https://catalyst.net.nz/services/samba
Catalyst.Net Ltd

Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company

Samba Development and Support: https://catalyst.net.nz/services/samba

Catalyst IT - Expert Open Source Solutions