[PATCH] Implement the check password script functionality in AD

Mon Jun 27 05:11:35 UTC 2016

Am 27.06.2016 um 07:01 schrieb Andrew Bartlett:
> On Wed, 2016-06-22 at 10:59 +1200, Andrew Bartlett wrote:
>> On Mon, 2016-06-20 at 06:58 +0200, Stefan Metzmacher wrote:
>>>
>>> Hi Bob,
>>>
>>>>
>>>> I'm an intern at Catalyst working with Garming Sam, learning
>>>> Samba.
>>>> Attached is a patch to implement the check password functionality
>>>> in AD,
>>>> which includes a test using sed matching as a password script. It
>>>> acts
>>>> much like it does in source3, however it runs your script as root
>>>> and
>>>> doesn't allow any macro substitutions.
>>>>
>>>> The test exists in the CHGDCPASS environment, which now no longer
>>>> uses
>>>> the AD complexity checks and just disallows a fixed unacceptable
>>>> password. This lets us check the script over all the protocols.
>>>>
>>>> Please review and push if acceptable.
>>> I had to solve a similar problem, people wanted to use a script to
>>> sync
>>> password changes to things like OpenLDAP.
>>>
>>> As I realized that using this would mean we will call an external
>>> script
>>> while holding the transaction lock. I'm 100% sure people will write
>>> scripts
>>> which will cause deadlocks this way. We just can't do any
>>> (blocking)
>>> IPC
>>> during
>>> a transaction, sorry!
>> I don't actually see the problem here.  A password quality script
>> shouldn't be blocking for any significant length of time, and if
>> people
>> write scripts that cause deadlocks, then they will quickly learn not
>> to
>> - it is an smb.conf option they have to set and a script they have to
>> write.  The most common case is simply to shell out to a script
>> checking for ; (our requested use case) or crackcheck (incompatible
>> with library used due to abort() on failure to open the dictionary).
>>
>>>
>>> For that reason I used another approach see:
>>> https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/head
>>> s/
>>> master4-gpgme
>> That seems like a good solution for a different problem.  I don't see
>> why we can't do both for both situations.
> 
> Can we make some progress here?  Is there really a good reason why we
> expect a password quality script will block the transaction, other than
> that it possibly could for a very short timeout, if it were so silly as
> to do a blocking network operation?

Ok, I mixed it with the "unix password sync" option.

As long as we have a hard timeout for the script, e.g. have a DEBUG 0
message
if it takes more than 1 second and abort it after 5 or 10?

metze

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20160627/d1206633/signature.sig>