[Samba] 'check password script' timeout, diferences between AD and NT mode?

Andrew Bartlett abartlet at samba.org
Thu Jan 9 01:29:36 UTC 2020

On Tue, 2020-01-07 at 12:35 +0100, Marco Gaiarin via samba wrote:
> Here we use a (custom-made, internal) password propagation system,
> hooked around 'check password script'.
> Recently we suffer a network outgage (another one ;-), and the system
> that take care of password propagation goes offline.
>  + NT domains continue to work, clearly password not propagate
>  + AD domain stop to work (eg, users password change on windows stop to
>    work), because the script timeout.
> Note that 'check password script = ' run a bash script that 'wrap' the
> real password propagation system, and that return anyway '0'. The
> script don't fail, timeout.
> I've run by hand the real password propagation system, and effectively
> timeout (90 seconds circa) connecting to the server.
> So seems that on AD a timeout get added to 'check password script' and
> if timeout expires, password change get refused.
> Seems also that this behaviour was not present in NT mode.

We have to have a pretty strict timeout on this otherwise the DB could
be transaction locked forever, as the script in the AD case runs while
the LDB transaction lock is taken.

> There's something i can do on samba side? Thanks.

Ideally use the samba-tool user syncpasswords system to take this
outside the transaction lock, and allow recovery after the other server
is back.

We really don't want the 'check password script' used for password
sync, which is why we built better alternatives.  

I hope this helps,

Andrew Bartlett
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list