Password changing function

Andrew Bartlett abartlet at
Sun Dec 15 01:49:46 MST 2013

On Sun, 2013-12-15 at 19:25 +1100, David Keegel wrote:
> On Sat, Dec 14, 2013 at 10:09:51PM +0100, Dr. Michael Cinti wrote:
> > Hello everyone,
> > i would like to execute a program every password changing to update
> > an external LDAP.
> > I found that the function "dcesrv_samr_ChangePasswordUser3" in
> > source4/rpc_server/samr/samr_password.c is invoked only for the
> > first password changing but not in the other requests.
> > Anyone can help me
> > Michael
> What about putting something like:
> 	unix password sync = yes
> 	passwd program = /usr/local/bin/ldappasswd -S %u
> 	passwd chat = "*Enter new password*" %n\n "*Reenter new password*" %n\n "*Password changed*"
> into smb.conf? 
> You would probably need to change passwd program and passwd chat to suit
> your system.

The issue is that we don't excute this in the AD DC.  We really should
do that, and while the modal is a bit different because we don't have
matching unix account, I guess we should re-use this mechanism if we
can.  I did demo a module to sync passwords with other services many
years ago, and adding such a thing to the password_hash module shouldn't
be that hard, it just needs to be done. 

All that said, password sync should really be the last option.  It would
be better to make that external LDAP server forward bind requests to
Samba via SASL, kerberos or some other mechanism.  That way, when we
implement things like bad password lockout, we can keep accurate count.


Andrew Bartlett

Andrew Bartlett             
Authentication Developer, Samba Team
Samba Developer, Catalyst IT

More information about the samba-technical mailing list