[PATCH] Implement the check password script functionality in AD
abartlet at samba.org
Tue Jun 21 22:59:08 UTC 2016
On Mon, 2016-06-20 at 06:58 +0200, Stefan Metzmacher wrote:
> Hi Bob,
> > I'm an intern at Catalyst working with Garming Sam, learning Samba.
> > Attached is a patch to implement the check password functionality
> > in AD,
> > which includes a test using sed matching as a password script. It
> > acts
> > much like it does in source3, however it runs your script as root
> > and
> > doesn't allow any macro substitutions.
> > The test exists in the CHGDCPASS environment, which now no longer
> > uses
> > the AD complexity checks and just disallows a fixed unacceptable
> > password. This lets us check the script over all the protocols.
> > Please review and push if acceptable.
> I had to solve a similar problem, people wanted to use a script to
> password changes to things like OpenLDAP.
> As I realized that using this would mean we will call an external
> while holding the transaction lock. I'm 100% sure people will write
> which will cause deadlocks this way. We just can't do any (blocking)
> a transaction, sorry!
I don't actually see the problem here. A password quality script
shouldn't be blocking for any significant length of time, and if people
write scripts that cause deadlocks, then they will quickly learn not to
- it is an smb.conf option they have to set and a script they have to
write. The most common case is simply to shell out to a script
checking for ; (our requested use case) or crackcheck (incompatible
with library used due to abort() on failure to open the dictionary).
> For that reason I used another approach see:
That seems like a good solution for a different problem. I don't see
why we can't do both for both situations.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical