[Samba] update google password using samba password chat

Andrew Bartlett abartlet at samba.org
Mon Jul 10 20:25:10 UTC 2017

On Mon, 2017-07-10 at 16:20 +0200, Marco Gaiarin via samba wrote:
> Mandi! Rowland Penny via samba
>   In chel di` si favelave...
> > > You can also use 'check password script' for things like that.
> > 
> > Sorry, but I fail to see how a script to check password complexity will
> > help in changing a google password.
> In 'check password script' you have the user (it suffices to use %U) in
> commandline and the password in STDIN, so base ingredient are here.
> Also, if the script fail (eg, error code not 0) password chage are
> refused (indeed, with a generic message about complexity rules not
> meet).
> Abused ever since. ;-)

Please don't do that.  It holds the transaction lock open for the full
time the script runs, can't read the database if it has changed during
that transaction, doesn't know if the transaction is later aborted and
has to be set up on each DC.

That is why we added the proper support for saving a crypt() based
sha512 password for 4.7.

To discourage this use in the AD DC, the %U is not subbed in. That is a
good thing, because dcesrv_samr_ValidatePassword also calls it, and
this isn't actually changing anybodies password, and isn't access

So please don't do that.  For the 'classic' or NT4 DC, see 'passwd
chat', 'passwd program' and 'unix password sync', or the slightly more
elegant 'ldap passwd sync' (and then read the {CRYPT} password from
userPassword on your openldap server).


Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list