[Samba] How to test that the administrator password is correct in a script?

Tue Mar 15 14:47:26 UTC 2022

On 3/14/22 15:52, Andrew Bartlett wrote:
> On Mon, 2022-03-14 at 11:48 -0500, Patrick Goetz via samba wrote:
>>
>> On 3/14/22 10:33, Rowland Penny via samba wrote:
>>> On Mon, 2022-03-14 at 09:23 -0500, Patrick Goetz via samba wrote:
>>>> Since this took longer than I thought to get right, I'm sharing
>>>> the
>>>> bash
>>>> shell snippet used to test that the Administrator password the
>>>> script
>>>> user entered is correct before proceeding. I looked at Roland's
>>>> thing,
>>>> but this seemed simpler:
>>>>
>>>> ($DATASERVER can be any old computer bound to the domain)
>>>> ---------------------------------------------------------------
>>>> ----
>>>> ---
>>>> read -s -p "Administrator Password: " APASS
>>>> echo
>>>>
>>>> PWCHECK=$(samba-tool computer show $DATASERVER
>>>> --attributes=sAMAccountName  -H ldap://samba-dc -U
>>>> "administrator%${APASS}" 2>&1)
>>>>
>>>> PWCHECK=${PWCHECK:0:2}
>>>>
>>>> if [ "${PWCHECK}" != "dn" ]; then
>>>>      echo "Administrator password is incorrect"
>>>>      exit 1
>>>> fi
>>>
>>> Yes, it is simpler, but your way is sending Administrators password
>>> over the wire, mine doesn't.
>>>
>>
>> Hmmm, that's a good point. I guess I assumed that the samba-tool
>> communications would be encrypted -- is that not the case?
>>
> 
> Rowland misspoke, the concern is not 'the wire', it is the poor
> practice of having passwords on the command line.  While Samba tries to
> wipe the command line soon after main() is called, there is a race
> where all users on the system can see all command-line parameters.
> 

It took me a second to figure out what you're talking about here.

To me this is an argument for sandboxing services more than anything 
else. Since no users log in directly on the server I'm running this 
script on, command line detection is of little concern.

Good to know about the PASSWD environment variable, though.  That sounds 
like a good alternative in situations where users are able to run `ps 
auxw`.  The control flow then would be something like:

   prompt for password using read -s
   export PASSWD=$PASSWD
   <do stuff requiring authentication>
   unset PASSWD

> Depending on the levels of shell, also watch out for meta-characters in
> the password.
> 
> Better options include putting the password in a password file
> (protected by permissions), stdin (as long as you don't just move the
> problem to another binary), or an environment variable.
> 
> We now put some of this info into our documentation:
> 
> If --password is not specified,
>                         the tool will check the <envar>PASSWD</envar>
>                         environment variable, followed by
> <envar>PASSWD_FD</envar>
>                         which is expected to contain an open
>                         file descriptor (FD) number.
> 
>                         Finally it will check <envar>PASSWD_FILE</envar>
> (containing
>                         a file path to be opened). The file should only
>                         contain the password. Make certain that the
>                         permissions on the file restrict
>                         access from unwanted users!
> 
> 
> Andrew Bartlett