Password changing function
abartlet at samba.org
Sun Dec 15 01:49:46 MST 2013
On Sun, 2013-12-15 at 19:25 +1100, David Keegel wrote:
> On Sat, Dec 14, 2013 at 10:09:51PM +0100, Dr. Michael Cinti wrote:
> > Hello everyone,
> > i would like to execute a program every password changing to update
> > an external LDAP.
> > I found that the function "dcesrv_samr_ChangePasswordUser3" in
> > source4/rpc_server/samr/samr_password.c is invoked only for the
> > first password changing but not in the other requests.
> > Anyone can help me
> > Michael
> What about putting something like:
> unix password sync = yes
> passwd program = /usr/local/bin/ldappasswd -S %u
> passwd chat = "*Enter new password*" %n\n "*Reenter new password*" %n\n "*Password changed*"
> into smb.conf?
> You would probably need to change passwd program and passwd chat to suit
> your system.
The issue is that we don't excute this in the AD DC. We really should
do that, and while the modal is a bit different because we don't have
matching unix account, I guess we should re-use this mechanism if we
can. I did demo a module to sync passwords with other services many
years ago, and adding such a thing to the password_hash module shouldn't
be that hard, it just needs to be done.
All that said, password sync should really be the last option. It would
be better to make that external LDAP server forward bind requests to
Samba via SASL, kerberos or some other mechanism. That way, when we
implement things like bad password lockout, we can keep accurate count.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical