Hi Christian,
* Christian Manal moenoel@informatik.uni-bremen.de [16.02.2010 15:31]:
Ralf Zimmermann schrieb:
Hi all,
I have a problem with overlay ppolicy and samba. My samba backend is openldap-2.4.20. I have a default ppolicy and a pwdCheckModule. If I change the userPassword all works fine. I read the slapo-ppolicy man page and I know that the only pwdAttribute is userPassword. If I change the userPassword with smbpasswd the policy works also fine. But if I want to change the Password with a Windows client the problem begins. The sambaNTPassword is set everytime to the new Password because the ppolicy overlay checks only the userPassword. So the both Passwords are different and there is no control for the sambaNTPassword.
Exists any solution or a workaround for this problem.
Any help is appreciated.
Mit freundlichen Gruessen Ralf Zimmermann
Hello Ralf,
you should take a look at the option 'ldap passwd sync' in the smb.conf manpage. I would also recommend to take a look at the smbk5pwd overlay if you don't already use that.
Best regards, Christian Manal
the option 'ldap passwd sync' is set to yes. I will looking to the overlay smbk5pwd again. But I think it will not resolve the problem because samba makes a modify for the samba attributes.
We have a default ppolicy. But this policy works only with pwdAttribute userPassword not with sambaNTPassword. The problem is, that a User can change his password with a Windows Client. The sambaNTPassword is always set whatever in the policy is configured.
Feb 16 14:16:32 rudi slapd[7683]: conn=1008 op=6 MOD dn="uid=rzimmermann,ou=Users,dc=bad-gmbh,dc=de" Feb 16 14:16:32 rudi slapd[7683]: conn=1008 op=6 MOD attr=sambaNTPassword sambaNTPassword sambaPwdLastSet sambaPwdLastSet Feb 16 14:16:32 rudi slapd[7683]: conn=1008 op=6 RESULT tag=103 err=0 text= Feb 16 14:16:32 rudi slapd[7683]: conn=1009 op=6 EXT oid=1.3.6.1.4.1.4203.1.11.1 Feb 16 14:16:32 rudi slapd[7683]: conn=1009 op=6 PASSMOD id="uid=rzimmermann,ou=Users,dc=bad-gmbh,dc=de" new Feb 16 14:16:32 rudi slapd[7683]: check_password: Got line |useCracklib 1 | Feb 16 14:16:32 rudi slapd[7683]: check_password: Validating parameter [useCracklib] Feb 16 14:16:32 rudi slapd[7683]: check_password: Parameter accepted. Feb 16 14:16:32 rudi slapd[7683]: check_password: Got line |minPoints 3 | Feb 16 14:16:32 rudi slapd[7683]: check_password: Validating parameter [minPoints] Feb 16 14:16:32 rudi slapd[7683]: check_password: Parameter accepted. Feb 16 14:16:32 rudi slapd[7683]: check_password: Word = minPoints, value = 3 Feb 16 14:16:32 rudi slapd[7683]: check_password: Setting quality to [3 ] Feb 16 14:16:32 rudi slapd[7683]: check_password: Got line |minUpper 2 | Feb 16 14:16:32 rudi slapd[7683]: check_password: Validating parameter [minUpper] Feb 16 14:16:32 rudi slapd[7683]: check_password: Parameter accepted. Feb 16 14:16:32 rudi slapd[7683]: check_password: Got line |minLower 2 | Feb 16 14:16:32 rudi slapd[7683]: check_password: Validating parameter [minLower] Feb 16 14:16:32 rudi slapd[7683]: check_password: Parameter accepted. Feb 16 14:16:32 rudi slapd[7683]: check_password: Got line |minDigit 2 | Feb 16 14:16:32 rudi slapd[7683]: check_password: Validating parameter [minDigit] Feb 16 14:16:32 rudi slapd[7683]: check_password: Parameter accepted. Feb 16 14:16:32 rudi slapd[7683]: check_password: Got line |minPunct 0 | Feb 16 14:16:32 rudi slapd[7683]: check_password: Validating parameter [minPunct] Feb 16 14:16:32 rudi slapd[7683]: check_password: Parameter accepted. Feb 16 14:16:32 rudi slapd[7683]: check_password: Got line |useCracklib 1 | Feb 16 14:16:32 rudi slapd[7683]: check_password: Validating parameter [useCracklib] Feb 16 14:16:32 rudi slapd[7683]: check_password: Parameter accepted. Feb 16 14:16:32 rudi slapd[7683]: check_password: Word = useCracklib, value = 1 ... Feb 16 14:16:32 rudi slapd[7683]: check_password: Parameter accepted. Feb 16 14:16:32 rudi slapd[7683]: check_password: Got line |minLower 2 | Feb 16 14:16:32 rudi slapd[7683]: check_password: Validating parameter [minLower] Feb 16 14:16:32 rudi slapd[7683]: check_password: Parameter accepted. Feb 16 14:16:32 rudi slapd[7683]: check_password: Got line |minDigit 2 | Feb 16 14:16:32 rudi slapd[7683]: check_password: Validating parameter [minDigit] Feb 16 14:16:32 rudi slapd[7683]: check_password: Parameter accepted. Feb 16 14:16:32 rudi slapd[7683]: check_password: Got line |minPunct 0 | Feb 16 14:16:32 rudi slapd[7683]: check_password: Validating parameter [minPunct] Feb 16 14:16:32 rudi slapd[7683]: check_password: Parameter accepted. Feb 16 14:16:32 rudi slapd[7683]: check_password: Word = minPunct, value = 0 Feb 16 14:16:32 rudi slapd[7683]: check_password: Setting parameter to [0 ] Feb 16 14:16:32 rudi slapd[7683]: check_password: Found lower character - quality raise 1 Feb 16 14:16:32 rudi slapd[7683]: check_password: Reallocating szErrStr from 64 to 174 Feb 16 14:16:32 rudi slapd[7683]: check_password_quality: module error: (check_password.so) Password for dn="uid=rzimmermann,ou=Users,dc=bad-gmbh,dc=de" do es not pass required number of strength checks (1 of 3).[1] Feb 16 14:16:32 rudi slapd[7683]: conn=1009 op=6 RESULT oid= err=19 text=
Thanks Ralf Zimmermann
--
.''`. Ralf Zimmermann : :' : SIEGNETZ.IT GmbH `. `' Schneppenkauten 1a `- 57076 Siegen
Tel.: +49 271 68193 13 Fax.: +49 271 68193 29
Amtsgericht Siegen HRB4838 Geschaeftsfuehrer: Oliver Seitz Sitz der Gesellschaft ist Siegen