On Wed, 2022-04-13 at 17:21 -0400, ralph strebbing
wrote:> On Wed, Apr 13, 2022, 5:17 PM Andrew Bartlett <abartlet at samba.org>
> wrote:
> > On Wed, 2022-04-13 at 12:10 -0400, ralph strebbing via samba wrote:
> >
> > Remote password changes are intended to be caught by the 'check
> >
> > password script' and we do have tests for this. Do you have this
> >
> > set identically on all DCs?
>
> We do. Did we need to push a GPUpdate? Because we didn't do that
> while testing. Also we aren't using a wrapper script as suggested in
> Jonathon's Gitlab repo, so our parameter is defined as:
> check password script = chkastropwd --path=/opt/pwcache
> With Samba-Tool that worked fine, but perhaps we NEED a wrapper
> script for it to work?
>
> Regards,
> Ralph
It should work the same, but samba-tool may be running in a very
different environment to 'samba', for example in terms of a PATH. Turn
up the logging in 'samba' via the smb.conf or (eg) -d10 to debug.
This isn't impacted by group policies and the same settings are
evaluated in both modes, indeed the same code is run (the password_hash
module is invoked in both cases and calls the same helper).
Andrew Bartlett
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/Samba Team Member
(since 2001) https://samba.orgSamba Team Lead, Catalyst IT
https://catalyst.net.nz/services/samba
Samba Development and Support, Catalyst IT - Expert Open SourceSolutions