samba - Jul 2017 - update google password using samba password chat

On Mon, 10 Jul 2017 15:15:35 +0200
Marco Gaiarin via samba <samba at lists.samba.org> wrote:
> Mandi! Johan Verdoodt via samba
>   In chel di` si favelave...
> 
> > Every idea or suggestion is more than welcome....
> 
> Sorry for the very late answer.
> 
> 
> You can also use 'check password script' for things like that.
> 
Sorry, but I fail to see how a script to check password complexity will
help in changing a google password.

Rowland

Mandi! Rowland Penny via samba
  In chel di` si favelave...
> > You can also use 'check password script' for things like that.
> Sorry, but I fail to see how a script to check password complexity will
> help in changing a google password.
In 'check password script' you have the user (it suffices to use %U) in
commandline and the password in STDIN, so base ingredient are here.

Also, if the script fail (eg, error code not 0) password chage are
refused (indeed, with a generic message about complexity rules not
meet).


Abused ever since. ;-)

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

On Mon, 2017-07-10 at 16:20 +0200, Marco Gaiarin via samba
wrote:
> Mandi! Rowland Penny via samba
>   In chel di` si favelave...
> 
> > > You can also use 'check password script' for things like
that.
> > 
> > Sorry, but I fail to see how a script to check password complexity
will
> > help in changing a google password.
> 
> In 'check password script' you have the user (it suffices to use
%U) in
> commandline and the password in STDIN, so base ingredient are here.
> 
> Also, if the script fail (eg, error code not 0) password chage are
> refused (indeed, with a generic message about complexity rules not
> meet).
> 
> 
> Abused ever since. ;-)
Please don't do that.  It holds the transaction lock open for the full
time the script runs, can't read the database if it has changed during
that transaction, doesn't know if the transaction is later aborted and
has to be set up on each DC.

That is why we added the proper support for saving a crypt() based
sha512 password for 4.7.

To discourage this use in the AD DC, the %U is not subbed in. That is a
good thing, because dcesrv_samr_ValidatePassword also calls it, and
this isn't actually changing anybodies password, and isn't access
controlled!

So please don't do that.  For the 'classic' or NT4 DC, see
'passwd
chat', 'passwd program' and 'unix password sync', or the
slightly more
elegant 'ldap passwd sync' (and then read the {CRYPT} password from
userPassword on your openldap server).

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba