samba - Mar 2022 - How to test that the administrator password is correct in a script?

Since this took longer than I thought to get right, I'm sharing the bash 
shell snippet used to test that the Administrator password the script 
user entered is correct before proceeding. I looked at Roland's thing, 
but this seemed simpler:

($DATASERVER can be any old computer bound to the domain)
----------------------------------------------------------------------
read -s -p "Administrator Password: " APASS
echo

PWCHECK=$(samba-tool computer show $DATASERVER 
--attributes=sAMAccountName  -H ldap://samba-dc -U 
"administrator%${APASS}" 2>&1)

PWCHECK=${PWCHECK:0:2}

if [ "${PWCHECK}" != "dn" ]; then
   echo "Administrator password is incorrect"
   exit 1
fi
----------------------------------------------------------------------

On 3/12/22 16:20, Patrick Goetz via samba wrote:
> Thanks, Roland.? That was super helpful.
> 
> On 3/12/22 15:12, Rowland Penny via samba wrote:
>> On Sat, 2022-03-12 at 14:53 -0600, Patrick Goetz via samba wrote:
>>> I have a script which creates user accounts, makes home
directories,
>>> adds the users to groups, etc., but I'd like to make it more
elegant.
>>>
>>> Right now if the administrator password is incorrectly entered you
>>> get a
>>> bunch of python errors as output.? Also, since the script runs as
>>> root,
>>> some steps (e.g. home directory creation) are carried out even if
>>> the
>>> user creation fails because the administrator password was entered
>>> incorrectly.
>>
>> Use 'kinit' to test the Administrator password:
>>
>> echo "$THE_PASSWORD" | kinit Administrator ;
status="$?" ; echo
>> "$status"
>>
>> Having done that, you can then use kerberos with script.
>>
>>>
>>> I'd like to check the correctness of the password before
actually
>>> doing
>>> anything -- has anyone figured out a good way to do this? My
thought
>>> was
>>> to run some command as administrator and exit if the output
>>> indicates
>>> that the correct data wasn't retrieved.
>>>
>>> This problem is compounded by the fact that it appears samba-tool
>>> only
>>> works on a DC -- is this correct?? Whenever I try to run something
>>> like
>>
>> No, you can run must of the commands on a Unix domain member by using
>> '-H' e.g. -H ldap://dc1
>>
>>>
>>> ??? samba-tool user list -U administrator
>>>
>>> on a client machine I just get a bunch of python errors.? Seems
like
>>> it
>>> should be possible to make this tool work from anywhere in the
>>> domain.
>>
>> You can create the users Unix homedir on the fly with a 'root
preexec'
>> script.
>>
>> Rowland
>>
>>
>>
>

On Mon, 2022-03-14 at 09:23 -0500, Patrick Goetz via samba
wrote:
> Since this took longer than I thought to get right, I'm sharing the
> bash 
> shell snippet used to test that the Administrator password the
> script 
> user entered is correct before proceeding. I looked at Roland's
> thing, 
> but this seemed simpler:
> 
> ($DATASERVER can be any old computer bound to the domain)
> -------------------------------------------------------------------
> ---
> read -s -p "Administrator Password: " APASS
> echo
> 
> PWCHECK=$(samba-tool computer show $DATASERVER 
> --attributes=sAMAccountName  -H ldap://samba-dc -U 
> "administrator%${APASS}" 2>&1)
> 
> PWCHECK=${PWCHECK:0:2}
> 
> if [ "${PWCHECK}" != "dn" ]; then
>    echo "Administrator password is incorrect"
>    exit 1
> fi
Yes, it is simpler, but your way is sending Administrators password
over the wire, mine doesn't.

Rowland