mirror of
https://github.com/samba-team/samba.git
synced 2025-01-05 09:18:06 +03:00
12e97ee3e8
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
44 lines
1.7 KiB
XML
44 lines
1.7 KiB
XML
<samba:parameter name="check password script"
|
|
context="G"
|
|
type="string"
|
|
substitution="1"
|
|
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
|
|
<description>
|
|
<para>The name of a program that can be used to check password
|
|
complexity. The password is sent to the program's standard input.</para>
|
|
|
|
<para>The program must return 0 on a good password, or any other value
|
|
if the password is bad.
|
|
In case the password is considered weak (the program does not return 0) the
|
|
user will be notified and the password change will fail.</para>
|
|
|
|
<para>In Samba AD, this script will be run <emphasis>AS ROOT</emphasis> by
|
|
<citerefentry><refentrytitle>samba</refentrytitle> <manvolnum>8</manvolnum>
|
|
</citerefentry> without any substitutions.</para>
|
|
|
|
<para>Note that starting with Samba 4.11 the following environment variables are exported to the script:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem><para>
|
|
SAMBA_CPS_ACCOUNT_NAME is always present and contains the sAMAccountName of user,
|
|
the is the same as the %u substitutions in the none AD DC case.
|
|
</para></listitem>
|
|
|
|
<listitem><para>
|
|
SAMBA_CPS_USER_PRINCIPAL_NAME is optional in the AD DC case if the userPrincipalName is present.
|
|
</para></listitem>
|
|
|
|
<listitem><para>
|
|
SAMBA_CPS_FULL_NAME is optional if the displayName is present.
|
|
</para></listitem>
|
|
</itemizedlist>
|
|
|
|
<para>Note: In the example directory is a sample program called <command moreinfo="none">crackcheck</command>
|
|
that uses cracklib to check the password quality.</para>
|
|
|
|
</description>
|
|
|
|
<value type="default"><comment>Disabled</comment></value>
|
|
<value type="example">/usr/local/sbin/crackcheck</value>
|
|
</samba:parameter>
|