Password history checks

Jeremy Allison jra at
Thu Dec 3 18:12:05 UTC 2015

On Wed, Dec 02, 2015 at 03:50:16PM +0100, Jérémie Courrèges-Anglas wrote:
> Hi,
> a client recently asked us about the password policy settings they could
> enforce in their Samba 4 AD domain.
> It *seems* that one of their wishes can't be fulfilled right now: the
> password history check[1].  This is supposed to prevent users from
> reusing the same passwords. Samba 4 is able to store up to 24 previous
> passwords, but it doesn't seem to check for password reuse when a user
> changes his credentials.

Hmmm. Looking at the code (admittedly the AD code isn't
the area I'm most familiar) there is a return SAM_PWD_CHANGE_PWD_IN_HISTORY
error which can be returned from check_password_restrictions() inside
the AD-DC code. check_password_restrictions() does check the
password history, but only on nt_hash and lm_hash values.

Can you give us more info on how you've tested this ?

More information about the samba-technical mailing list