[Samba] 'check password script' timeout, diferences between AD and NT mode?

Andrew Bartlett abartlet at samba.org
Fri Jan 17 19:51:35 UTC 2020

On Thu, 2020-01-09 at 11:33 +0100, Marco Gaiarin via samba wrote:
> Mandi! Andrew Bartlett via samba
>   In chel di` si favelave...
> > We have to have a pretty strict timeout on this otherwise the DB could
> > be transaction locked forever, as the script in the AD case runs while
> > the LDB transaction lock is taken.
> Ok, good. Thanks for the answer!
> But, just we are here, you can say me how the timeout is set in samba?
> Or point to the code snippet to read from? ;-)


		/* Gives a warning after 1 second, terminates after 10 */
		tevent_add_timer(event_ctx, event_ctx,
				 tevent_timeval_current_ofs(1, 0),
				 pwd_timeout_debug, NULL);

		req = samba_runcmd_send(event_ctx, event_ctx,
					tevent_timeval_current_ofs(10, 0),
					100, 100, cmd, NULL);

> I think also could be added to the manpage...

A MR on GitLab will be looked on favourably. :-)

> I can run the command in my script within 'coreutils' timeout, using,
> eg, half of the samba timeout.
> > Ideally use the samba-tool user syncpasswords system to take this
> > outside the transaction lock, and allow recovery after the other server
> > is back.
> > We really don't want the 'check password script' used for password
> > sync, which is why we built better alternatives.  
> As stated to rowland, i'm using that.
> Only, i need to add some more strictier password checks, and so i use 'check password
> script' to verify that password comply to the spec, because 'samba-tool user
> syncpasswords' is a post-change tool, and so i could lead to a
> 'incompatible password' to be propagated.

Ahh, thanks for confirming that.

Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list