Hi Holger, On Mo 01 Apr 2013 15:26:04 CEST Holger Levsen wrote:
On Montag, 1. April 2013, mike-gabriel-guest@alioth.debian.org wrote:Author: mike-gabriel-guest Date: 2013-04-01 12:53:32 +0000 (Mon, 01 Apr 2013) New Revision: 79569 Modified: trunk/src/debian-edu-config/debian/changelog trunk/src/debian-edu-config/etc/samba/smb-debian-edu.conf Log: Fix passwd sync in Samba, point users to using GOsa?194?178 for password changes. (Partially resolves: #656296).at first I was only concered, because I couldnt see debian-edu-config depend or recommend krb5-admin-server which provices /usr/sbin/kadmin.local but then I also wondered about the following:+ # sync Kerberos password via kadmin.local + unix password sync = yes + passwd program = /usr/sbin/kadmin.local -q 'cpw %u' + passwd chat = "Authenticating as principal*"n"Enter password for principal *"%u"*:*" %nn n"Re-enter password for principal *"%u"*:*" %nnthis doesn't allow for translations :-(
Samba calls the passwd chat with LANG=C. No need to consider translations here.
n"Password for *"%u"@* changed."n + # dangerous: reveals clear text password in Samba log files... + passwd chat debug = nowhat? or rather, what the f?! why oh why by the love of kittens, why does it write passwords into a logfile? My brain hurts.If this is really the case, I suggest to revert this "fix". This is worse thanhow it was before.
As passwd chat debug is set to know, the danger is non-existant. The warning means: don't set the passwd chat debug to ,,yes'' here. Only then it will reveal plain text passwords in syslog.
Greets, Mike -- DAS-NETZWERKTEAM mike gabriel, rothenstein 5, 24214 neudorf-bornstein fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
Attachment:
pgpQDYZbbBU1Z.pgp
Description: Digitale PGP-Unterschrift