I use OpenLDAP's password policy overlay (ppolicy) and the smbk5pwd overlay (to keep windows and UNIX passwords in sync). In smb.conf I have: ldap passwd sync = Only and in slapd.conf: moduleload smbk5pwd.so moduleload ppolicy.so overlay smbk5pwd smbk5pwd-enable samba overlay ppolicy It works well, but with one exception. When a user tries to change his/her password to a value that is not accepted by the ppolicy rules it looks (for the user) like the change was successful even though the password change was refused by the ldap server. Both smbpasswd and windows reports (falsely) that the password was changed successfully in this situation. Example from smbd.log (log level 10): ldapsam_update_sam_account: user test to be modified has dn: uid=test,ou=Users,dc=zoologi,dc=su,dc=se init_ldap_from_sam: Setting entry for user: test smbldap_make_mod: deleting attribute |sambaPwdCanChange| values |1183967780| smbldap_make_mod: adding attribute |sambaPwdCanChange| value |1183968232| smbldap_make_mod: attribute |sambaPwdMustChange| not changed. smbldap_modify: dn => [uid=test,ou=Users,dc=zoologi,dc=su,dc=se] Extended operation failed with error: Constraint violation (Password is in history of old passwords) ldapsam_modify_entry: LDAP Password could not be changed for user test: Constraint violation Password is in history of old passwords pop_sec_ctx (1000, 10000) - sec_ctx_stack_ndx = 1 init_samr_r_chgpasswd_user _samr_chgpasswd_user: 1480 000000 samr_io_r_chgpasswd_user 0000 status: NT_STATUS_UNSUCCESSFUL api_rpcTNP: called samr successfully ldapsam_modify_entry returns NT_STATUS_UNSUCCESSFUL and this seems to cause "samr" to start the password change mechanism on more time (somehow...) but with empty changes (below is further down from the same logfile): ldapsam_update_sam_account: user test to be modified has dn: uid=test,ou=Users,dc=zoologi,dc=su,dc=se init_ldap_from_sam: Setting entry for user: test smbldap_make_mod: attribute |sambaPwdCanChange| not changed. smbldap_make_mod: attribute |sambaPwdMustChange| not changed. ldapsam_update_sam_account: mods is empty: nothing to update for user: test pop_sec_ctx (1000, 10000) - sec_ctx_stack_ndx = 0 init_samr_r_chgpasswd_user _samr_chgpasswd_user: 1480 000000 samr_io_r_chgpasswd_user 0000 status: NT_STATUS_OK api_rpcTNP: called samr successfully Either of the following patches seems to fix the problem. However, I am not sure that this is the correct way to do it (or maybe I am doing something else wrong): --- passdb/pdb_ldap.c.orig 2007-02-04 19:59:21.000000000 +0100 +++ passdb/pdb_ldap.c 2007-07-09 10:37:03.000000000 +0200 @@ -1644,7 +1644,7 @@ pdb_get_username(newpwd), ldap_err2string(rc), ld_error?ld_error:"unknown")); SAFE_FREE(ld_error); ber_bvfree(bv); - return NT_STATUS_UNSUCCESSFUL; + return NT_STATUS_PASSWORD_RESTRICTION; } else { DEBUG(3,("ldapsam_modify_entry: LDAP Password changed for user %s\n",pdb_get_username(newpwd))); #ifdef DEBUG_PASSWORD --- passdb/pdb_ldap.c.orig 2007-02-04 19:59:21.000000000 +0100 +++ passdb/pdb_ldap.c 2007-07-09 10:37:46.000000000 +0200 @@ -1638,6 +1638,17 @@ return NT_STATUS_OK; } + if (rc == LDAP_CONSTRAINT_VIOLATION) { + ldap_get_option(ldap_state->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING, + &ld_error); + DEBUG(1, ("LDAP Password could not be changed for user %s: %s (%s)\n", + pdb_get_username(newpwd), ldap_err2string(rc), + ld_error ? ld_error : "unknown")); + SAFE_FREE(ld_error); + ber_bvfree(bv); + return NT_STATUS_PASSWORD_RESTRICTION; + } + ldap_get_option(ldap_state->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING, &ld_error); DEBUG(0,("ldapsam_modify_entry: LDAP Password could not be changed for user %s: %s\n\t%s\n", Any ideas?
Sorry for the late reply. This should be fixed in 3.6. Corresponding patch in master is a679319192a. Would be great if you can give feedback on that. I'm gonna close this bug as fixed for now. Thanks!