summaryrefslogtreecommitdiffstats
path: root/docs-xml/smbdotconf/security/checkpasswordscript.xml
blob: 18aa2c6d290e5176092d74424a45222935a2d4d3 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
<samba:parameter name="check password script"
                 context="G"
                 type="string"
                 substitution="1"
                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
    <para>The name of a program that can be used to check password
    complexity. The password is sent to the program's standard input.</para>

    <para>The program must return 0 on a good password, or any other value
    if the password is bad.
    In case the password is considered weak (the program does not return 0) the
    user will be notified and the password change will fail.</para>

    <para>In Samba AD, this script will be run <emphasis>AS ROOT</emphasis> by
    <citerefentry><refentrytitle>samba</refentrytitle> <manvolnum>8</manvolnum>
    </citerefentry> without any substitutions.</para>

    <para>Note that starting with Samba 4.11 the following environment variables are exported to the script:</para>

    <itemizedlist>
	<listitem><para>
	SAMBA_CPS_ACCOUNT_NAME is always present and contains the sAMAccountName of user,
	the is the same as the %u substitutions in the none AD DC case.
	</para></listitem>

	<listitem><para>
	SAMBA_CPS_USER_PRINCIPAL_NAME is optional in the AD DC case if the userPrincipalName is present.
	</para></listitem>

	<listitem><para>
	SAMBA_CPS_FULL_NAME is optional if the displayName is present.
	</para></listitem>
    </itemizedlist>

    <para>Note: In the example directory is a sample program called <command moreinfo="none">crackcheck</command>
    that uses cracklib to check the password quality.</para>

</description>

<value type="default"><comment>Disabled</comment></value>
<value type="example">/usr/local/sbin/crackcheck</value>
</samba:parameter>