samba - Mar 2022 - How to test that the administrator password is correct in a script?

On Mon, 2022-03-14 at 11:48 -0500, Patrick Goetz via samba
wrote:
> 
> On 3/14/22 10:33, Rowland Penny via samba wrote:
> > On Mon, 2022-03-14 at 09:23 -0500, Patrick Goetz via samba wrote:
> > > Since this took longer than I thought to get right, I'm
sharing
> > > the
> > > bash
> > > shell snippet used to test that the Administrator password the
> > > script
> > > user entered is correct before proceeding. I looked at
Roland's
> > > thing,
> > > but this seemed simpler:
> > > 
> > > ($DATASERVER can be any old computer bound to the domain)
> > > ---------------------------------------------------------------
> > > ----
> > > ---
> > > read -s -p "Administrator Password: " APASS
> > > echo
> > > 
> > > PWCHECK=$(samba-tool computer show $DATASERVER
> > > --attributes=sAMAccountName  -H ldap://samba-dc -U
> > > "administrator%${APASS}" 2>&1)
> > > 
> > > PWCHECK=${PWCHECK:0:2}
> > > 
> > > if [ "${PWCHECK}" != "dn" ]; then
> > >     echo "Administrator password is incorrect"
> > >     exit 1
> > > fi
> > 
> > Yes, it is simpler, but your way is sending Administrators password
> > over the wire, mine doesn't.
> > 
> 
> Hmmm, that's a good point. I guess I assumed that the samba-tool 
> communications would be encrypted -- is that not the case?
> 
Rowland misspoke, the concern is not 'the wire', it is the poor
practice of having passwords on the command line.  While Samba tries to
wipe the command line soon after main() is called, there is a race
where all users on the system can see all command-line parameters. 

Depending on the levels of shell, also watch out for meta-characters in
the password.

Better options include putting the password in a password file
(protected by permissions), stdin (as long as you don't just move the
problem to another binary), or an environment variable.

We now put some of this info into our documentation:

If --password is not specified,
                       the tool will check the <envar>PASSWD</envar>
                       environment variable, followed by
<envar>PASSWD_FD</envar>
                       which is expected to contain an open
                       file descriptor (FD) number.

                       Finally it will check
<envar>PASSWD_FILE</envar>
(containing
                       a file path to be opened). The file should only
                       contain the password. Make certain that the
                       permissions on the file restrict
                       access from unwanted users!


Andrew Bartlett
-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions

On Tue, 2022-03-15 at 09:52 +1300, Andrew Bartlett via samba
wrote:
> On Mon, 2022-03-14 at 11:48 -0500, Patrick Goetz via samba wrote:
> > On 3/14/22 10:33, Rowland Penny via samba wrote:
> > > On Mon, 2022-03-14 at 09:23 -0500, Patrick Goetz via samba wrote:
> > > > Since this took longer than I thought to get right, I'm
sharing
> > > > the
> > > > bash
> > > > shell snippet used to test that the Administrator password
the
> > > > script
> > > > user entered is correct before proceeding. I looked at
Roland's
> > > > thing,
> > > > but this seemed simpler:
> > > > 
> > > > ($DATASERVER can be any old computer bound to the domain)
> > > >
---------------------------------------------------------------
> > > > ----
> > > > ---
> > > > read -s -p "Administrator Password: " APASS
> > > > echo
> > > > 
> > > > PWCHECK=$(samba-tool computer show $DATASERVER
> > > > --attributes=sAMAccountName  -H ldap://samba-dc -U
> > > > "administrator%${APASS}" 2>&1)
> > > > 
> > > > PWCHECK=${PWCHECK:0:2}
> > > > 
> > > > if [ "${PWCHECK}" != "dn" ]; then
> > > >     echo "Administrator password is incorrect"
> > > >     exit 1
> > > > fi
> > > 
> > > Yes, it is simpler, but your way is sending Administrators
> > > password
> > > over the wire, mine doesn't.
> > > 
> > 
> > Hmmm, that's a good point. I guess I assumed that the samba-tool 
> > communications would be encrypted -- is that not the case?
> > 
> 
> Rowland misspoke,
Misunderstood possibly, but not misspoke. My understanding is that
passwords are authenticated on the DC, if this is correct (and if it
isn't, why isn't it correct), how does the password get to the DC ? I
appreciate that the password is likely to be encrypted in some way, but
it still needs to get to the DC.

Rowland

On 3/14/22 15:52, Andrew Bartlett wrote:
> On Mon, 2022-03-14 at 11:48 -0500, Patrick Goetz via samba wrote:
>>
>> On 3/14/22 10:33, Rowland Penny via samba wrote:
>>> On Mon, 2022-03-14 at 09:23 -0500, Patrick Goetz via samba wrote:
>>>> Since this took longer than I thought to get right, I'm
sharing
>>>> the
>>>> bash
>>>> shell snippet used to test that the Administrator password the
>>>> script
>>>> user entered is correct before proceeding. I looked at
Roland's
>>>> thing,
>>>> but this seemed simpler:
>>>>
>>>> ($DATASERVER can be any old computer bound to the domain)
>>>> ---------------------------------------------------------------
>>>> ----
>>>> ---
>>>> read -s -p "Administrator Password: " APASS
>>>> echo
>>>>
>>>> PWCHECK=$(samba-tool computer show $DATASERVER
>>>> --attributes=sAMAccountName  -H ldap://samba-dc -U
>>>> "administrator%${APASS}" 2>&1)
>>>>
>>>> PWCHECK=${PWCHECK:0:2}
>>>>
>>>> if [ "${PWCHECK}" != "dn" ]; then
>>>>      echo "Administrator password is incorrect"
>>>>      exit 1
>>>> fi
>>>
>>> Yes, it is simpler, but your way is sending Administrators password
>>> over the wire, mine doesn't.
>>>
>>
>> Hmmm, that's a good point. I guess I assumed that the samba-tool
>> communications would be encrypted -- is that not the case?
>>
> 
> Rowland misspoke, the concern is not 'the wire', it is the poor
> practice of having passwords on the command line.  While Samba tries to
> wipe the command line soon after main() is called, there is a race
> where all users on the system can see all command-line parameters.
> 
It took me a second to figure out what you're talking about here.

To me this is an argument for sandboxing services more than anything 
else. Since no users log in directly on the server I'm running this 
script on, command line detection is of little concern.

Good to know about the PASSWD environment variable, though.  That sounds 
like a good alternative in situations where users are able to run `ps 
auxw`.  The control flow then would be something like:

   prompt for password using read -s
   export PASSWD=$PASSWD
   <do stuff requiring authentication>
   unset PASSWD

> Depending on the levels of shell, also watch out for meta-characters in
> the password.
> 
> Better options include putting the password in a password file
> (protected by permissions), stdin (as long as you don't just move the
> problem to another binary), or an environment variable.
> 
> We now put some of this info into our documentation:
> 
> If --password is not specified,
>                         the tool will check the
<envar>PASSWD</envar>
>                         environment variable, followed by
> <envar>PASSWD_FD</envar>
>                         which is expected to contain an open
>                         file descriptor (FD) number.
> 
>                         Finally it will check
<envar>PASSWD_FILE</envar>
> (containing
>                         a file path to be opened). The file should only
>                         contain the password. Make certain that the
>                         permissions on the file restrict
>                         access from unwanted users!
> 
> 
> Andrew Bartlett