Patrick Goetz
2022-Mar-12 22:20 UTC
[Samba] How to test that the administrator password is correct in a script?
Thanks, Roland. That was super helpful. On 3/12/22 15:12, Rowland Penny via samba wrote:> On Sat, 2022-03-12 at 14:53 -0600, Patrick Goetz via samba wrote: >> I have a script which creates user accounts, makes home directories, >> adds the users to groups, etc., but I'd like to make it more elegant. >> >> Right now if the administrator password is incorrectly entered you >> get a >> bunch of python errors as output. Also, since the script runs as >> root, >> some steps (e.g. home directory creation) are carried out even if >> the >> user creation fails because the administrator password was entered >> incorrectly. > > Use 'kinit' to test the Administrator password: > > echo "$THE_PASSWORD" | kinit Administrator ; status="$?" ; echo > "$status" > > Having done that, you can then use kerberos with script. > >> >> I'd like to check the correctness of the password before actually >> doing >> anything -- has anyone figured out a good way to do this? My thought >> was >> to run some command as administrator and exit if the output >> indicates >> that the correct data wasn't retrieved. >> >> This problem is compounded by the fact that it appears samba-tool >> only >> works on a DC -- is this correct? Whenever I try to run something >> like > > No, you can run must of the commands on a Unix domain member by using > '-H' e.g. -H ldap://dc1 > >> >> samba-tool user list -U administrator >> >> on a client machine I just get a bunch of python errors. Seems like >> it >> should be possible to make this tool work from anywhere in the >> domain. > > You can create the users Unix homedir on the fly with a 'root preexec' > script. > > Rowland > > >
Patrick Goetz
2022-Mar-14 14:23 UTC
[Samba] How to test that the administrator password is correct in a script?
Since this took longer than I thought to get right, I'm sharing the bash shell snippet used to test that the Administrator password the script user entered is correct before proceeding. I looked at Roland's thing, but this seemed simpler: ($DATASERVER can be any old computer bound to the domain) ---------------------------------------------------------------------- read -s -p "Administrator Password: " APASS echo PWCHECK=$(samba-tool computer show $DATASERVER --attributes=sAMAccountName -H ldap://samba-dc -U "administrator%${APASS}" 2>&1) PWCHECK=${PWCHECK:0:2} if [ "${PWCHECK}" != "dn" ]; then echo "Administrator password is incorrect" exit 1 fi ---------------------------------------------------------------------- On 3/12/22 16:20, Patrick Goetz via samba wrote:> Thanks, Roland.? That was super helpful. > > On 3/12/22 15:12, Rowland Penny via samba wrote: >> On Sat, 2022-03-12 at 14:53 -0600, Patrick Goetz via samba wrote: >>> I have a script which creates user accounts, makes home directories, >>> adds the users to groups, etc., but I'd like to make it more elegant. >>> >>> Right now if the administrator password is incorrectly entered you >>> get a >>> bunch of python errors as output.? Also, since the script runs as >>> root, >>> some steps (e.g. home directory creation) are carried out even if >>> the >>> user creation fails because the administrator password was entered >>> incorrectly. >> >> Use 'kinit' to test the Administrator password: >> >> echo "$THE_PASSWORD" | kinit Administrator ; status="$?" ; echo >> "$status" >> >> Having done that, you can then use kerberos with script. >> >>> >>> I'd like to check the correctness of the password before actually >>> doing >>> anything -- has anyone figured out a good way to do this? My thought >>> was >>> to run some command as administrator and exit if the output >>> indicates >>> that the correct data wasn't retrieved. >>> >>> This problem is compounded by the fact that it appears samba-tool >>> only >>> works on a DC -- is this correct?? Whenever I try to run something >>> like >> >> No, you can run must of the commands on a Unix domain member by using >> '-H' e.g. -H ldap://dc1 >> >>> >>> ??? samba-tool user list -U administrator >>> >>> on a client machine I just get a bunch of python errors.? Seems like >>> it >>> should be possible to make this tool work from anywhere in the >>> domain. >> >> You can create the users Unix homedir on the fly with a 'root preexec' >> script. >> >> Rowland >> >> >> >