[Samba] 'check password script' timeout, diferences between AD and NT mode?
Andrew Bartlett
abartlet at samba.org
Fri Jan 17 19:51:35 UTC 2020
On Thu, 2020-01-09 at 11:33 +0100, Marco Gaiarin via samba wrote:
> Mandi! Andrew Bartlett via samba
> In chel di` si favelave...
>
> > We have to have a pretty strict timeout on this otherwise the DB could
> > be transaction locked forever, as the script in the AD case runs while
> > the LDB transaction lock is taken.
>
> Ok, good. Thanks for the answer!
> But, just we are here, you can say me how the timeout is set in samba?
> Or point to the code snippet to read from? ;-)
source4/dsdb/common/samdb_check_password()
/* Gives a warning after 1 second, terminates after 10 */
tevent_add_timer(event_ctx, event_ctx,
tevent_timeval_current_ofs(1, 0),
pwd_timeout_debug, NULL);
...
req = samba_runcmd_send(event_ctx, event_ctx,
tevent_timeval_current_ofs(10, 0),
100, 100, cmd, NULL);
> I think also could be added to the manpage...
A MR on GitLab will be looked on favourably. :-)
> I can run the command in my script within 'coreutils' timeout, using,
> eg, half of the samba timeout.
>
>
> > Ideally use the samba-tool user syncpasswords system to take this
> > outside the transaction lock, and allow recovery after the other server
> > is back.
> > We really don't want the 'check password script' used for password
> > sync, which is why we built better alternatives.
>
> As stated to rowland, i'm using that.
>
> Only, i need to add some more strictier password checks, and so i use 'check password
> script' to verify that password comply to the spec, because 'samba-tool user
> syncpasswords' is a post-change tool, and so i could lead to a
> 'incompatible password' to be propagated.
Ahh, thanks for confirming that.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba
mailing list