CVE-2026-4408: docs-xml/smbdotconf: clarify '%u' in 'check password script'

Admins should use SAMBA_CPS_ACCOUNT_NAME.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=16034

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue May 26 13:54:03 UTC 2026 on atb-devel-224

diff --git a/docs-xml/smbdotconf/security/checkpasswordscript.xml b/docs-xml/smbdotconf/security/checkpasswordscript.xml
index 18aa2c6d290e5176092d74424a45222935a2d4d3..dd162d89f08a578108de06d4354884dfabee5a6f 100644 (file)
--- a/docs-xml/smbdotconf/security/checkpasswordscript.xml
+++ b/docs-xml/smbdotconf/security/checkpasswordscript.xml
@@ -20,8 +20,8 @@
 
     <itemizedlist>
        <listitem><para>
-       SAMBA_CPS_ACCOUNT_NAME is always present and contains the sAMAccountName of user,
-       the is the same as the %u substitutions in the none AD DC case.
+       SAMBA_CPS_ACCOUNT_NAME is always present and contains the sAMAccountName of user.
+       It is the same as the '%u' substitutions in the non AD DC case.
        </para></listitem>
 
        <listitem><para>
@@ -33,6 +33,12 @@
        </para></listitem>
     </itemizedlist>
 
+    <para>Even on a non AD DC SAMBA_CPS_ACCOUNT_NAME is the preferred way to access the
+    account name, as it contains the raw value provided by the client. If that's not
+    possible you should use single quotes (directly) around %u, e.g. /path/to/somescript '%u',
+    see CVE-2026-4408 for more details.
+    </para>
+
     <para>Note: In the example directory is a sample program called <command moreinfo="none">crackcheck</command>
     that uses cracklib to check the password quality.</para>