[Samba] How to test that the administrator password is correct in a script?

[Rowland Penny]

On Sat, 2022-03-12 at 14:53 -0600, Patrick Goetz via samba wrote:
> I have a script which creates user accounts, makes home directories, 
> adds the users to groups, etc., but I'd like to make it more elegant.
> 
> Right now if the administrator password is incorrectly entered you
> get a 
> bunch of python errors as output.  Also, since the script runs as
> root, 
> some steps (e.g. home directory creation) are carried out even if
> the 
> user creation fails because the administrator password was entered 
> incorrectly.

Use 'kinit' to test the Administrator password:

echo "$THE_PASSWORD" | kinit Administrator ; status="$?" ; echo
"$status"

Having done that, you can then use kerberos with script.

> 
> I'd like to check the correctness of the password before actually
> doing 
> anything -- has anyone figured out a good way to do this? My thought
> was 
> to run some command as administrator and exit if the output
> indicates 
> that the correct data wasn't retrieved.
> 
> This problem is compounded by the fact that it appears samba-tool
> only 
> works on a DC -- is this correct?  Whenever I try to run something
> like

No, you can run must of the commands on a Unix domain member by using
'-H' e.g. -H ldap://dc1

> 
>    samba-tool user list -U administrator
> 
> on a client machine I just get a bunch of python errors.  Seems like
> it 
> should be possible to make this tool work from anywhere in the
> domain.

You can create the users Unix homedir on the fly with a 'root preexec'
script.

Rowland