summaryrefslogtreecommitdiffstats
path: root/docs-xml/smbdotconf/security/checkpasswordscript.xml
diff options
context:
space:
mode:
Diffstat (limited to 'docs-xml/smbdotconf/security/checkpasswordscript.xml')
-rw-r--r--docs-xml/smbdotconf/security/checkpasswordscript.xml43
1 files changed, 43 insertions, 0 deletions
diff --git a/docs-xml/smbdotconf/security/checkpasswordscript.xml b/docs-xml/smbdotconf/security/checkpasswordscript.xml
new file mode 100644
index 0000000..18aa2c6
--- /dev/null
+++ b/docs-xml/smbdotconf/security/checkpasswordscript.xml
@@ -0,0 +1,43 @@
+<samba:parameter name="check password script"
+ context="G"
+ type="string"
+ substitution="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>The name of a program that can be used to check password
+ complexity. The password is sent to the program's standard input.</para>
+
+ <para>The program must return 0 on a good password, or any other value
+ if the password is bad.
+ In case the password is considered weak (the program does not return 0) the
+ user will be notified and the password change will fail.</para>
+
+ <para>In Samba AD, this script will be run <emphasis>AS ROOT</emphasis> by
+ <citerefentry><refentrytitle>samba</refentrytitle> <manvolnum>8</manvolnum>
+ </citerefentry> without any substitutions.</para>
+
+ <para>Note that starting with Samba 4.11 the following environment variables are exported to the script:</para>
+
+ <itemizedlist>
+ <listitem><para>
+ SAMBA_CPS_ACCOUNT_NAME is always present and contains the sAMAccountName of user,
+ the is the same as the %u substitutions in the none AD DC case.
+ </para></listitem>
+
+ <listitem><para>
+ SAMBA_CPS_USER_PRINCIPAL_NAME is optional in the AD DC case if the userPrincipalName is present.
+ </para></listitem>
+
+ <listitem><para>
+ SAMBA_CPS_FULL_NAME is optional if the displayName is present.
+ </para></listitem>
+ </itemizedlist>
+
+ <para>Note: In the example directory is a sample program called <command moreinfo="none">crackcheck</command>
+ that uses cracklib to check the password quality.</para>
+
+</description>
+
+<value type="default"><comment>Disabled</comment></value>
+<value type="example">/usr/local/sbin/crackcheck</value>
+</samba:parameter>