[Samba] How to test that the administrator password is correct in a script?
Rowland Penny
rpenny at samba.org
Mon Mar 14 21:07:50 UTC 2022
On Tue, 2022-03-15 at 09:52 +1300, Andrew Bartlett via samba wrote:
> On Mon, 2022-03-14 at 11:48 -0500, Patrick Goetz via samba wrote:
> > On 3/14/22 10:33, Rowland Penny via samba wrote:
> > > On Mon, 2022-03-14 at 09:23 -0500, Patrick Goetz via samba wrote:
> > > > Since this took longer than I thought to get right, I'm sharing
> > > > the
> > > > bash
> > > > shell snippet used to test that the Administrator password the
> > > > script
> > > > user entered is correct before proceeding. I looked at Roland's
> > > > thing,
> > > > but this seemed simpler:
> > > >
> > > > ($DATASERVER can be any old computer bound to the domain)
> > > > ---------------------------------------------------------------
> > > > ----
> > > > ---
> > > > read -s -p "Administrator Password: " APASS
> > > > echo
> > > >
> > > > PWCHECK=$(samba-tool computer show $DATASERVER
> > > > --attributes=sAMAccountName -H ldap://samba-dc -U
> > > > "administrator%${APASS}" 2>&1)
> > > >
> > > > PWCHECK=${PWCHECK:0:2}
> > > >
> > > > if [ "${PWCHECK}" != "dn" ]; then
> > > > echo "Administrator password is incorrect"
> > > > exit 1
> > > > fi
> > >
> > > Yes, it is simpler, but your way is sending Administrators
> > > password
> > > over the wire, mine doesn't.
> > >
> >
> > Hmmm, that's a good point. I guess I assumed that the samba-tool
> > communications would be encrypted -- is that not the case?
> >
>
> Rowland misspoke,
Misunderstood possibly, but not misspoke. My understanding is that
passwords are authenticated on the DC, if this is correct (and if it
isn't, why isn't it correct), how does the password get to the DC ? I
appreciate that the password is likely to be encrypted in some way, but
it still needs to get to the DC.
Rowland
More information about the samba
mailing list