[PATCH] Implement the check password script functionality in AD

garming at catalyst.net.nz garming at catalyst.net.nz
Mon Jun 20 07:15:41 UTC 2016

Hi Metze,

While I definitely agree that it's the way to go for syncing, it seems
prohibitive when all someone wishes to do is exclude a specific character
from their passwords. I can understand that you'd feel strongly about
this, and that people should not be using this for any sync actions. Is
the check password script parameter parameter actually implemented any
better in the source3 code? Otherwise, it only matches and I think has an
additional imposed time limit.

It always seems that the simplest things are the hardest to get right. So
it goes...



> Hi Bob,
>> I'm an intern at Catalyst working with Garming Sam, learning Samba.
>> Attached is a patch to implement the check password functionality in AD,
>> which includes a test using sed matching as a password script. It acts
>> much like it does in source3, however it runs your script as root and
>> doesn't allow any macro substitutions.
>> The test exists in the CHGDCPASS environment, which now no longer uses
>> the AD complexity checks and just disallows a fixed unacceptable
>> password. This lets us check the script over all the protocols.
>> Please review and push if acceptable.
> I had to solve a similar problem, people wanted to use a script to sync
> password changes to things like OpenLDAP.
> As I realized that using this would mean we will call an external script
> while holding the transaction lock. I'm 100% sure people will write
> scripts
> which will cause deadlocks this way. We just can't do any (blocking) IPC
> during
> a transaction, sorry!
> For that reason I used another approach see:
> https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master4-gpgme
> metze

More information about the samba-technical mailing list