docs/docbook/smbdotconf/security/passwdprogram.xml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46

<samba:parameter name="passwd program"
                 context="G"
                 advanced="1" developer="1"
		 xmlns:samba="http://samba.org/common">
<listitem>
    <para>The name of a program that can be used to set 
    UNIX user passwords.  Any occurrences of <parameter moreinfo="none">%u</parameter> 
    will be replaced with the user name. The user name is checked for 
    existence before calling the password changing program.</para>

    <para>Also note that many passwd programs insist in <emphasis>reasonable
    </emphasis> passwords, such as a minimum length, or the inclusion 
    of mixed case chars and digits. This can pose a problem as some clients 
    (such as Windows for Workgroups) uppercase the password before sending 
    it.</para>

    <para><emphasis>Note</emphasis> that if the <parameter moreinfo="none">unix 
    password sync</parameter> parameter is set to <constant>yes
    </constant> then this program is called <emphasis>AS ROOT</emphasis> 
    before the SMB password in the <ulink url="smbpasswd.5.html"><citerefentry>
    <refentrytitle>smbpasswd</refentrytitle><manvolnum>5</manvolnum></citerefentry>
    </ulink> file is changed. If this UNIX password change fails, then 
    <command moreinfo="none">smbd</command> will fail to change the SMB password also 
    (this is by design).</para>

    <para>If the <parameter moreinfo="none">unix password sync</parameter> parameter 
    is set this parameter <emphasis>MUST USE ABSOLUTE PATHS</emphasis> 
    for <emphasis>ALL</emphasis> programs called, and must be examined 
    for security implications. Note that by default <parameter moreinfo="none">unix 
    password sync</parameter> is set to <constant>no</constant>.</para>

    <para>Not that this program is only invoked when a password change is
    done via the smbd program, not when smbpasswd is used locally as root to
    change a password. This means that you cannot run "smbpasswd USERNAME" as
    root on the SMB server in order to test this parameter, but should run the
    command "smbpasswd -r SMBMACHINE" as a non-root user instead if you want
    to test the invocation of this program.</para>

    <para>See also <link linkend="UNIXPASSWORDSYNC"><parameter moreinfo="none">unix 
    password sync</parameter></link>.</para>

    <para>Default: <command moreinfo="none">passwd program = /bin/passwd</command></para>

    <para>Example: <command moreinfo="none">passwd program = /sbin/npasswd %u</command></para>
</listitem>
</samba:parameter>