[Samba] How to test that the administrator password is correct in a script?

Andrew Bartlett abartlet at samba.org
Mon Mar 14 21:14:03 UTC 2022 

On Mon, 2022-03-14 at 21:07 +0000, Rowland Penny via samba wrote:
> On Tue, 2022-03-15 at 09:52 +1300, Andrew Bartlett via samba wrote:
> > On Mon, 2022-03-14 at 11:48 -0500, Patrick Goetz via samba wrote:
> > > On 3/14/22 10:33, Rowland Penny via samba wrote:
> > > > On Mon, 2022-03-14 at 09:23 -0500, Patrick Goetz via samba
> > > > wrote:
> > > > > Since this took longer than I thought to get right, I'm
> > > > > sharing
> > > > > the
> > > > > bash
> > > > > shell snippet used to test that the Administrator password
> > > > > the
> > > > > script
> > > > > user entered is correct before proceeding. I looked at
> > > > > Roland's
> > > > > thing,
> > > > > but this seemed simpler:
> > > > > 
> > > > > ($DATASERVER can be any old computer bound to the domain)
> > > > > -----------------------------------------------------------
> > > > > ----
> > > > > ----
> > > > > ---
> > > > > read -s -p "Administrator Password: " APASS
> > > > > echo
> > > > > 
> > > > > PWCHECK=$(samba-tool computer show $DATASERVER
> > > > > --attributes=sAMAccountName  -H ldap://samba-dc -U
> > > > > "administrator%${APASS}" 2>&1)
> > > > > 
> > > > > PWCHECK=${PWCHECK:0:2}
> > > > > 
> > > > > if [ "${PWCHECK}" != "dn" ]; then
> > > > >     echo "Administrator password is incorrect"
> > > > >     exit 1
> > > > > fi
> > > > 
> > > > Yes, it is simpler, but your way is sending Administrators
> > > > password
> > > > over the wire, mine doesn't.
> > > > 
> > > 
> > > Hmmm, that's a good point. I guess I assumed that the samba-tool 
> > > communications would be encrypted -- is that not the case?
> > > 
> > 
> > Rowland misspoke,
> 
> Misunderstood possibly, but not misspoke. My understanding is that
> passwords are authenticated on the DC, if this is correct (and if it
> isn't, why isn't it correct), how does the password get to the DC ? I
> appreciate that the password is likely to be encrypted in some way,
> but
> it still needs to get to the DC.

The initial stages of all Samba-tool authenticated commands is
essentially the same as running 'kinit', particularly if --user-
kerberos=required is specified. 

Andrew Bartlett

> Rowland
> 
> 
-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions

More information about the samba mailing list