[PATCH] Implement the check password script functionality in AD

Andrew Bartlett abartlet at samba.org
Tue Jun 21 22:59:08 UTC 2016 

On Mon, 2016-06-20 at 06:58 +0200, Stefan Metzmacher wrote:
> Hi Bob,
> 
> > I'm an intern at Catalyst working with Garming Sam, learning Samba.
> > Attached is a patch to implement the check password functionality
> > in AD,
> > which includes a test using sed matching as a password script. It
> > acts
> > much like it does in source3, however it runs your script as root
> > and
> > doesn't allow any macro substitutions.
> > 
> > The test exists in the CHGDCPASS environment, which now no longer
> > uses
> > the AD complexity checks and just disallows a fixed unacceptable
> > password. This lets us check the script over all the protocols.
> > 
> > Please review and push if acceptable.
> 
> I had to solve a similar problem, people wanted to use a script to
> sync
> password changes to things like OpenLDAP.
> 
> As I realized that using this would mean we will call an external
> script
> while holding the transaction lock. I'm 100% sure people will write
> scripts
> which will cause deadlocks this way. We just can't do any (blocking)
> IPC
> during
> a transaction, sorry!

I don't actually see the problem here.  A password quality script
shouldn't be blocking for any significant length of time, and if people
write scripts that cause deadlocks, then they will quickly learn not to
- it is an smb.conf option they have to set and a script they have to
write.  The most common case is simply to shell out to a script
checking for ; (our requested use case) or crackcheck (incompatible
with library used due to abort() on failure to open the dictionary).

> For that reason I used another approach see:
> https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/
> master4-gpgme

That seems like a good solution for a different problem.  I don't see
why we can't do both for both situations.

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list