Bug 6375 - Samba incorrectly handles responses from LDAP's ppolicy overlay
Samba incorrectly handles responses from LDAP's ppolicy overlay
Status: RESOLVED DUPLICATE of bug 5163
Product: Samba 3.4
Classification: Unclassified
Component: User & Group Accounts
unspecified
x64 Linux
: P3 major
: ---
Assigned To: Samba Bugzilla Account
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2009-05-19 10:04 UTC by Ryan Steele
Modified: 2009-05-20 17:37 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ryan Steele 2009-05-19 10:04:04 UTC
Full descriptions are in the following two threads from the Samba list, including examples, proof of concepts, and suggestions for fixing the problem:


http://lists.samba.org/archive/samba/2008-April/139711.html
http://www.mail-archive.com/samba@lists.samba.org/msg96183.html

Basically, instead of using the response that LDAP gives Samba as to why the ppolicy constraints were violated, Samba looks in it's own database for what it thinks the return code means.  This means all ppolicy constraints have to be duplicated in Samba, which is simply not scalable or maintainable.
Comment 1 Björn Jacke 2009-05-20 17:37:43 UTC
looking at the code it can't happen any more what the logs in the list posting showed with recent samba releases. Do you really see NT_STATUS_UNSUCCESSFUL being returned when LDAP gives a LDAP_CONSTRAINT_VIOLATION ?

I'm resolving this as a dup of #5163. If you really still see this problem with recent samba releases please reopen the bug and attach a network sniff and level 10 log of it.

*** This bug has been marked as a duplicate of bug 5163 ***