[Samba] update google password using samba password chat
Andrew Bartlett
abartlet at samba.org
Mon Jul 10 20:25:10 UTC 2017
On Mon, 2017-07-10 at 16:20 +0200, Marco Gaiarin via samba wrote:
> Mandi! Rowland Penny via samba
> In chel di` si favelave...
>
> > > You can also use 'check password script' for things like that.
> >
> > Sorry, but I fail to see how a script to check password complexity will
> > help in changing a google password.
>
> In 'check password script' you have the user (it suffices to use %U) in
> commandline and the password in STDIN, so base ingredient are here.
>
> Also, if the script fail (eg, error code not 0) password chage are
> refused (indeed, with a generic message about complexity rules not
> meet).
>
>
> Abused ever since. ;-)
Please don't do that. It holds the transaction lock open for the full
time the script runs, can't read the database if it has changed during
that transaction, doesn't know if the transaction is later aborted and
has to be set up on each DC.
That is why we added the proper support for saving a crypt() based
sha512 password for 4.7.
To discourage this use in the AD DC, the %U is not subbed in. That is a
good thing, because dcesrv_samr_ValidatePassword also calls it, and
this isn't actually changing anybodies password, and isn't access
controlled!
So please don't do that. For the 'classic' or NT4 DC, see 'passwd
chat', 'passwd program' and 'unix password sync', or the slightly more
elegant 'ldap passwd sync' (and then read the {CRYPT} password from
userPassword on your openldap server).
Thanks,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba
mailing list