[PATCH] Implement the check password script functionality in AD
Andrew Bartlett
abartlet at samba.org
Mon Jun 27 05:01:25 UTC 2016
On Wed, 2016-06-22 at 10:59 +1200, Andrew Bartlett wrote:
> On Mon, 2016-06-20 at 06:58 +0200, Stefan Metzmacher wrote:
> >
> > Hi Bob,
> >
> > >
> > > I'm an intern at Catalyst working with Garming Sam, learning
> > > Samba.
> > > Attached is a patch to implement the check password functionality
> > > in AD,
> > > which includes a test using sed matching as a password script. It
> > > acts
> > > much like it does in source3, however it runs your script as root
> > > and
> > > doesn't allow any macro substitutions.
> > >
> > > The test exists in the CHGDCPASS environment, which now no longer
> > > uses
> > > the AD complexity checks and just disallows a fixed unacceptable
> > > password. This lets us check the script over all the protocols.
> > >
> > > Please review and push if acceptable.
> > I had to solve a similar problem, people wanted to use a script to
> > sync
> > password changes to things like OpenLDAP.
> >
> > As I realized that using this would mean we will call an external
> > script
> > while holding the transaction lock. I'm 100% sure people will write
> > scripts
> > which will cause deadlocks this way. We just can't do any
> > (blocking)
> > IPC
> > during
> > a transaction, sorry!
> I don't actually see the problem here. A password quality script
> shouldn't be blocking for any significant length of time, and if
> people
> write scripts that cause deadlocks, then they will quickly learn not
> to
> - it is an smb.conf option they have to set and a script they have to
> write. The most common case is simply to shell out to a script
> checking for ; (our requested use case) or crackcheck (incompatible
> with library used due to abort() on failure to open the dictionary).
>
> >
> > For that reason I used another approach see:
> > https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/head
> > s/
> > master4-gpgme
> That seems like a good solution for a different problem. I don't see
> why we can't do both for both situations.
Can we make some progress here? Is there really a good reason why we
expect a password quality script will block the transaction, other than
that it possibly could for a very short timeout, if it were so silly as
to do a blocking network operation?
Thanks,
Andrew Bartlett
--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team https://samba.org
Samba Development and Support, Catalyst IT
https://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list