[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [debian-edu-commits] r79569 - in trunk/src/debian-edu-config: debian etc/samba

Hi Holger,

On Mo 01 Apr 2013 15:26:04 CEST Holger Levsen wrote:

On Montag, 1. April 2013, mike-gabriel-guest@alioth.debian.org wrote:
Author: mike-gabriel-guest
Date: 2013-04-01 12:53:32 +0000 (Mon, 01 Apr 2013)
New Revision: 79569

Fix passwd sync in Samba, point users to using GOsa?194?178 for password
changes. (Partially resolves: #656296).

at first I was only concered, because I couldnt see debian-edu-config depend
or recommend krb5-admin-server which provices /usr/sbin/kadmin.local
but then I also wondered about the following:

+   # sync Kerberos password via kadmin.local
+   unix password sync = yes
+   passwd program = /usr/sbin/kadmin.local -q 'cpw %u'
+   passwd chat = "Authenticating as principal*"n"Enter password for
principal *"%u"*:*" %nn n"Re-enter password for principal *"%u"*:*" %nn

this doesn't allow for translations :-(

Samba calls the passwd chat with LANG=C. No need to consider translations here.

n"Password for *"%u"@* changed."n +   # dangerous: reveals clear text
password in Samba log files... +   passwd chat debug = no

what? or rather, what the f?! why oh why by the love of kittens, why does it
write passwords into a logfile? My brain hurts.

If this is really the case, I suggest to revert this "fix". This is worse than
how it was before.

As passwd chat debug is set to know, the danger is non-existant. The warning means: don't set the passwd chat debug to ,,yes'' here. Only then it will reveal plain text passwords in syslog.



mike gabriel, rothenstein 5, 24214 neudorf-bornstein
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de


Attachment: pgpQDYZbbBU1Z.pgp
Description: Digitale PGP-Unterschrift

Reply to: