samba - Jan 2020 - 'check password script' timeout, diferences between AD and NT mode?

Here we use a (custom-made, internal) password propagation system,
hooked around 'check password script'.

Recently we suffer a network outgage (another one ;-), and the system
that take care of password propagation goes offline.

 + NT domains continue to work, clearly password not propagate

 + AD domain stop to work (eg, users password change on windows stop to
   work), because the script timeout.

Note that 'check password script = ' run a bash script that
'wrap' the
real password propagation system, and that return anyway '0'. The
script don't fail, timeout.
I've run by hand the real password propagation system, and effectively
timeout (90 seconds circa) connecting to the server.


So seems that on AD a timeout get added to 'check password script' and
if timeout expires, password change get refused.
Seems also that this behaviour was not present in NT mode.


There's something i can do on samba side? Thanks.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bont?, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

On 07/01/2020 11:35, Marco Gaiarin via samba wrote:
> Here we use a (custom-made, internal) password propagation system,
> hooked around 'check password script'.
>
> Recently we suffer a network outgage (another one ;-), and the system
> that take care of password propagation goes offline.
>
>   + NT domains continue to work, clearly password not propagate
>
>   + AD domain stop to work (eg, users password change on windows stop to
>     work), because the script timeout.
>
> Note that 'check password script = ' run a bash script that
'wrap' the
> real password propagation system, and that return anyway '0'. The
> script don't fail, timeout.
> I've run by hand the real password propagation system, and effectively
> timeout (90 seconds circa) connecting to the server.
>
>
> So seems that on AD a timeout get added to 'check password script'
and
> if timeout expires, password change get refused.
> Seems also that this behaviour was not present in NT mode.
>
>
> There's something i can do on samba side? Thanks.
>
Yes, do it the right way ;-)

Can you read French ?

See here: 
https://dev.tranquil.it/wiki/SAMBA_-_Synchronisation_des_mots_de_passe_entre_un_Samba4_et_une_OpenLDAP

Rowland

Mandi! Rowland penny via samba
  In chel di` si favelave...
> Yes, do it the right way ;-)
This is not the point, Rowland.


I'm doing the right thing, only 'samba-tool user syncpasswords'
works
AFTER the password change take place in the domain, and my system need
some added password checks (admitted characters, ...) so simply i do
this TWO time, one in 'check password script' (to verify that password
meets criteria) and one in 'samba-tool user syncpasswords' (to do the
real propagation).

The binarly called in both scripts is the same, and timeout in the same
way. ;-)


I hope i was more clear, now. Thanks.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bont?, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

On Tue, 2020-01-07 at 12:35 +0100, Marco Gaiarin via samba
wrote:
> Here we use a (custom-made, internal) password propagation system,
> hooked around 'check password script'.
> 
> Recently we suffer a network outgage (another one ;-), and the system
> that take care of password propagation goes offline.
> 
>  + NT domains continue to work, clearly password not propagate
> 
>  + AD domain stop to work (eg, users password change on windows stop to
>    work), because the script timeout.
> 
> Note that 'check password script = ' run a bash script that
'wrap' the
> real password propagation system, and that return anyway '0'. The
> script don't fail, timeout.
> I've run by hand the real password propagation system, and effectively
> timeout (90 seconds circa) connecting to the server.
> 
> 
> So seems that on AD a timeout get added to 'check password script'
and
> if timeout expires, password change get refused.
> Seems also that this behaviour was not present in NT mode.
> 
We have to have a pretty strict timeout on this otherwise the DB could
be transaction locked forever, as the script in the AD case runs while
the LDB transaction lock is taken.
> There's something i can do on samba side? Thanks.
Ideally use the samba-tool user syncpasswords system to take this
outside the transaction lock, and allow recovery after the other server
is back.

We really don't want the 'check password script' used for password
sync, which is why we built better alternatives.  

I hope this helps,

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

Mandi! Andrew Bartlett via samba
  In chel di` si favelave...
> We have to have a pretty strict timeout on this otherwise the DB could
> be transaction locked forever, as the script in the AD case runs while
> the LDB transaction lock is taken.
Ok, good. Thanks for the answer!
But, just we are here, you can say me how the timeout is set in samba?
Or point to the code snippet to read from? ;-)
I think also could be added to the manpage...

I can run the command in my script within 'coreutils' timeout, using,
eg, half of the samba timeout.

> Ideally use the samba-tool user syncpasswords system to take this
> outside the transaction lock, and allow recovery after the other server
> is back.
> We really don't want the 'check password script' used for
password
> sync, which is why we built better alternatives.  
As stated to rowland, i'm using that.

Only, i need to add some more strictier password checks, and so i use 'check
password
script' to verify that password comply to the spec, because 'samba-tool
user
syncpasswords' is a post-change tool, and so i could lead to a
'incompatible password' to be propagated.


Thanks.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bont?, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)