I am using 3.0a22 as a PDC with LDAP SAM backend. I am using a python script as a
"passwd program" to sync ldap passwords.
My python script uses a first line of "#!/usr/bin/env python" and is normally mode
750, owned by root:root. It worked fine under 3.0a21.
Under 3.0a21, the script no longer executes when a remote user requests a password
change. I can make it work, but first let me say that with SMBD set to log level of
100 and passwd chat debug = YES, I see this:
[2003/03/06 12:54:47, 3] smbd/chgpasswd.c:chat_with_program(441)
Dochild for user mattro (uid=0,gid=0)
[2003/03/06 12:54:47, 10] smbd/chgpasswd.c:dochild(215)
Invoking '/usr/local/sbin/ldapsamutil.py -p mattro' as password change program.
[2003/03/06 12:54:47, 0] lib/util_sock.c:read_socket_with_timeout(275)
read_socket_with_timeout: timeout read. read error = Input/output error.
[2003/03/06 12:54:47, 100] smbd/chgpasswd.c:expect(270)
expect: expected [New Password: ] received [sh: /usr/local/sbin/ldapsamutil.py:
Permission denied
] match no
To make it work, I add read and execute bits for everybody (need read for python
interpreter and execute to make the script executable) then it works. It's insecure,
but it works.
So it looks like the logfile entry above that says the child is executing as
uid=0,gid=0 is not actually happening.
Working modes for the script include 755 and 005, of all things, on a script owned by
root:root. Nonworking modes for the script include 750 770, etc.
If anyone would like to see more logfile data, please let me know.
Thanks,
Matt
