Patrick Goetz
2022-Mar-14 16:48 UTC
[Samba] How to test that the administrator password is correct in a script?
On 3/14/22 10:33, Rowland Penny via samba wrote:> On Mon, 2022-03-14 at 09:23 -0500, Patrick Goetz via samba wrote: >> Since this took longer than I thought to get right, I'm sharing the >> bash >> shell snippet used to test that the Administrator password the >> script >> user entered is correct before proceeding. I looked at Roland's >> thing, >> but this seemed simpler: >> >> ($DATASERVER can be any old computer bound to the domain) >> ------------------------------------------------------------------- >> --- >> read -s -p "Administrator Password: " APASS >> echo >> >> PWCHECK=$(samba-tool computer show $DATASERVER >> --attributes=sAMAccountName -H ldap://samba-dc -U >> "administrator%${APASS}" 2>&1) >> >> PWCHECK=${PWCHECK:0:2} >> >> if [ "${PWCHECK}" != "dn" ]; then >> echo "Administrator password is incorrect" >> exit 1 >> fi > > Yes, it is simpler, but your way is sending Administrators password > over the wire, mine doesn't. >Hmmm, that's a good point. I guess I assumed that the samba-tool communications would be encrypted -- is that not the case?> Rowland > > >
Andrew Bartlett
2022-Mar-14 20:52 UTC
[Samba] How to test that the administrator password is correct in a script?
On Mon, 2022-03-14 at 11:48 -0500, Patrick Goetz via samba wrote:> > On 3/14/22 10:33, Rowland Penny via samba wrote: > > On Mon, 2022-03-14 at 09:23 -0500, Patrick Goetz via samba wrote: > > > Since this took longer than I thought to get right, I'm sharing > > > the > > > bash > > > shell snippet used to test that the Administrator password the > > > script > > > user entered is correct before proceeding. I looked at Roland's > > > thing, > > > but this seemed simpler: > > > > > > ($DATASERVER can be any old computer bound to the domain) > > > --------------------------------------------------------------- > > > ---- > > > --- > > > read -s -p "Administrator Password: " APASS > > > echo > > > > > > PWCHECK=$(samba-tool computer show $DATASERVER > > > --attributes=sAMAccountName -H ldap://samba-dc -U > > > "administrator%${APASS}" 2>&1) > > > > > > PWCHECK=${PWCHECK:0:2} > > > > > > if [ "${PWCHECK}" != "dn" ]; then > > > echo "Administrator password is incorrect" > > > exit 1 > > > fi > > > > Yes, it is simpler, but your way is sending Administrators password > > over the wire, mine doesn't. > > > > Hmmm, that's a good point. I guess I assumed that the samba-tool > communications would be encrypted -- is that not the case? >Rowland misspoke, the concern is not 'the wire', it is the poor practice of having passwords on the command line. While Samba tries to wipe the command line soon after main() is called, there is a race where all users on the system can see all command-line parameters. Depending on the levels of shell, also watch out for meta-characters in the password. Better options include putting the password in a password file (protected by permissions), stdin (as long as you don't just move the problem to another binary), or an environment variable. We now put some of this info into our documentation: If --password is not specified, the tool will check the <envar>PASSWD</envar> environment variable, followed by <envar>PASSWD_FD</envar> which is expected to contain an open file descriptor (FD) number. Finally it will check <envar>PASSWD_FILE</envar> (containing a file path to be opened). The file should only contain the password. Make certain that the permissions on the file restrict access from unwanted users! Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst IT - Expert Open Source Solutions