update google password using samba password chat

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

update google password using samba password chat

Samba - General mailing list
Dear all,

I am checking out all possibilities to update  a google password when a
user changes his/her samba password..
I tested with  "passwd program="
But my script /sbin/update-google  never gets executed

The script uses GAM  to update the password ( https://github.com/jay0lee/GAM
 )



samba Version 4.2.14-Debian

[general]
       unix password sync = yes
       passwd program=/sbin/update-google %u
       passwd chat= *password* %n\n *google-password-updated*
       passwd chat debug = yes
       log level = 100

Every idea or suggestion is more than welcome....

regards,


Johan Verdoodt
Belgium
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: update google password using samba password chat

Samba - General mailing list
On Mon, 3 Jul 2017 09:35:15 +0200
Johan Verdoodt via samba <[hidden email]> wrote:

> Dear all,
>
> I am checking out all possibilities to update  a google password when
> a user changes his/her samba password..
> I tested with  "passwd program="
> But my script /sbin/update-google  never gets executed
>
> The script uses GAM  to update the password
> ( https://github.com/jay0lee/GAM )
>
>
>
> samba Version 4.2.14-Debian
>
> [general]
>        unix password sync = yes
>        passwd program=/sbin/update-google %u
>        passwd chat= *password* %n\n *google-password-updated*
>        passwd chat debug = yes
>        log level = 100
>

OK, 'unix password sync' is meant to be used in [global], you seem to
have it in a share.

Can we see your entire smb.conf.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: update google password using samba password chat

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Mon, 2017-07-03 at 09:35 +0200, Johan Verdoodt via samba wrote:
> Dear all,
>
> I am checking out all possibilities to update  a google password when a
> user changes his/her samba password..
> I tested with  "passwd program="
> But my script /sbin/update-google  never gets executed

> The script uses GAM  to update the password ( https://github.com/jay0lee/GAM
>  )
>

If you are running the Samba AD DC, then for 4.5 you can use the
'samba-tool user syncpasswords' tool.  
https://www.samba.org/samba/history/samba-4.5.0.html

For Samba 4.7 you can use the new 'password hash userPassword schemes'
option to store a crypt() password when the user's password is changed,
rather than a GPG encrypted plaintext.

The 'passwd program' does not operate on the AD DC.

I hope this helps,

Andrew Bartlett


--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: update google password using samba password chat

Samba - General mailing list
>The 'passwd program' does not operate on the AD DC.

Ok that explains a lot.

Thanks  !   I will checkout the docs :-)

2017-07-03 10:34 GMT+02:00 Andrew Bartlett <[hidden email]>:

> On Mon, 2017-07-03 at 09:35 +0200, Johan Verdoodt via samba wrote:
> > Dear all,
> >
> > I am checking out all possibilities to update  a google password when a
> > user changes his/her samba password..
> > I tested with  "passwd program="
> > But my script /sbin/update-google  never gets executed
>
> > The script uses GAM  to update the password (
> https://github.com/jay0lee/GAM
> >  )
> >
>
> If you are running the Samba AD DC, then for 4.5 you can use the
> 'samba-tool user syncpasswords' tool.
> https://www.samba.org/samba/history/samba-4.5.0.html
>
> For Samba 4.7 you can use the new 'password hash userPassword schemes'
> option to store a crypt() password when the user's password is changed,
> rather than a GPG encrypted plaintext.
>
> The 'passwd program' does not operate on the AD DC.
>
> I hope this helps,
>
> Andrew Bartlett
>
>
> --
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT          http://catalyst.net.nz/
> services/samba
>
>


--
Mvg,

Bednet vzw - synchroon internetonderwijs
Met steun van de Vlaamse Overheid

Johan Verdoodt
Stapsteenweg 1B, 9070 Destelbergen
✆ +32 (0) 479/ 45 19 17

Volg ons op Facebook <http://www.facebook.com/bednet> en Twitter
<http://www.twitter.com/BednetBE>
https://www.bednet.be
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: update google password using samba password chat

Samba - General mailing list
In reply to this post by Samba - General mailing list
Mandi! Johan Verdoodt via samba
  In chel di` si favelave...

> Every idea or suggestion is more than welcome....

Sorry for the very late answer.


You can also use 'check password script' for things like that.

--
dott. Marco Gaiarin        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

                Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
        (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: update google password using samba password chat

Samba - General mailing list
On Mon, 10 Jul 2017 15:15:35 +0200
Marco Gaiarin via samba <[hidden email]> wrote:

> Mandi! Johan Verdoodt via samba
>   In chel di` si favelave...
>
> > Every idea or suggestion is more than welcome....
>
> Sorry for the very late answer.
>
>
> You can also use 'check password script' for things like that.
>

Sorry, but I fail to see how a script to check password complexity will
help in changing a google password.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: update google password using samba password chat

Samba - General mailing list
Mandi! Rowland Penny via samba
  In chel di` si favelave...

> > You can also use 'check password script' for things like that.
> Sorry, but I fail to see how a script to check password complexity will
> help in changing a google password.

In 'check password script' you have the user (it suffices to use %U) in
commandline and the password in STDIN, so base ingredient are here.

Also, if the script fail (eg, error code not 0) password chage are
refused (indeed, with a generic message about complexity rules not
meet).


Abused ever since. ;-)

--
dott. Marco Gaiarin        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

                Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
        (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: update google password using samba password chat

Samba - General mailing list
On Mon, 2017-07-10 at 16:20 +0200, Marco Gaiarin via samba wrote:

> Mandi! Rowland Penny via samba
>   In chel di` si favelave...
>
> > > You can also use 'check password script' for things like that.
> >
> > Sorry, but I fail to see how a script to check password complexity will
> > help in changing a google password.
>
> In 'check password script' you have the user (it suffices to use %U) in
> commandline and the password in STDIN, so base ingredient are here.
>
> Also, if the script fail (eg, error code not 0) password chage are
> refused (indeed, with a generic message about complexity rules not
> meet).
>
>
> Abused ever since. ;-)

Please don't do that.  It holds the transaction lock open for the full
time the script runs, can't read the database if it has changed during
that transaction, doesn't know if the transaction is later aborted and
has to be set up on each DC.

That is why we added the proper support for saving a crypt() based
sha512 password for 4.7.

To discourage this use in the AD DC, the %U is not subbed in. That is a
good thing, because dcesrv_samr_ValidatePassword also calls it, and
this isn't actually changing anybodies password, and isn't access
controlled!

So please don't do that.  For the 'classic' or NT4 DC, see 'passwd
chat', 'passwd program' and 'unix password sync', or the slightly more
elegant 'ldap passwd sync' (and then read the {CRYPT} password from
userPassword on your openldap server).

Thanks,

Andrew Bartlett

--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: update google password using samba password chat

Samba - General mailing list
Mandi! Andrew Bartlett via samba
  In chel di` si favelave...

> > Abused ever since. ;-)
> Please don't do that.

I *need* that. I was aware of drawbacks, and i supposed i need to setup
on every DC, but i *need* that because, apart doing some lazy things, i
use that hack to manage password propagation to some legacy system.


> To discourage this use in the AD DC, the %U is not subbed in.

AArrgghh!!! NO!!!
From what version of samba?

It is very critical to me... :-(((

--
dott. Marco Gaiarin        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

                Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
        (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: update google password using samba password chat

Samba - General mailing list
On Wed, 2017-07-12 at 12:34 +0200, Marco Gaiarin via samba wrote:

> Mandi! Andrew Bartlett via samba
>   In chel di` si favelave...
>
> > > Abused ever since. ;-)
> >
> > Please don't do that.
>
> I *need* that. I was aware of drawbacks, and i supposed i need to setup
> on every DC, but i *need* that because, apart doing some lazy things, i
> use that hack to manage password propagation to some legacy system.
>
>
> > To discourage this use in the AD DC, the %U is not subbed in.
>
> AArrgghh!!! NO!!!
> From what version of samba?
>
> It is very critical to me... :-(((

It never was.  It was added to the AD DC with Samba 4.5, without %
subs.  See 878fa6ef7de420ed7f28e95113bb76bf50879553 for the commit.

Andrew Bartlett

--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: update google password using samba password chat

Samba - General mailing list
Mandi! Andrew Bartlett via samba
  In chel di` si favelave...

> It never was.  It was added to the AD DC with Samba 4.5, without %
> subs.  See 878fa6ef7de420ed7f28e95113bb76bf50879553 for the commit.

Google lead me to:

        https://lists.samba.org/archive/samba-cvs/2016-July/113487.html


Uh. Ok. I've to revamp back my bad hack of looking at parent pid of the
script, to have the uid/user... ;(((

Please, consider adding at least the '%U' expansion...


PS: it was not clear to me if was added to 4.5.0 or to some 4.5.X point
    release...

--
dott. Marco Gaiarin        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

                Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
        (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Loading...