[PATCH] Implement the check password script functionality in AD

Stefan Metzmacher metze at samba.org
Mon Jun 20 04:58:28 UTC 2016

Hi Bob,

> I'm an intern at Catalyst working with Garming Sam, learning Samba.
> Attached is a patch to implement the check password functionality in AD,
> which includes a test using sed matching as a password script. It acts
> much like it does in source3, however it runs your script as root and
> doesn't allow any macro substitutions.
> The test exists in the CHGDCPASS environment, which now no longer uses
> the AD complexity checks and just disallows a fixed unacceptable
> password. This lets us check the script over all the protocols.
> Please review and push if acceptable.

I had to solve a similar problem, people wanted to use a script to sync
password changes to things like OpenLDAP.

As I realized that using this would mean we will call an external script
while holding the transaction lock. I'm 100% sure people will write scripts
which will cause deadlocks this way. We just can't do any (blocking) IPC
a transaction, sorry!

For that reason I used another approach see:


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20160620/a943c9f8/signature.sig>

More information about the samba-technical mailing list