Password history checks
Jeremy Allison
jra at samba.org
Thu Dec 3 18:12:05 UTC 2015
On Wed, Dec 02, 2015 at 03:50:16PM +0100, Jérémie Courrèges-Anglas wrote:
>
> Hi,
>
> a client recently asked us about the password policy settings they could
> enforce in their Samba 4 AD domain.
>
> It *seems* that one of their wishes can't be fulfilled right now: the
> password history check[1]. This is supposed to prevent users from
> reusing the same passwords. Samba 4 is able to store up to 24 previous
> passwords, but it doesn't seem to check for password reuse when a user
> changes his credentials.
Hmmm. Looking at the code (admittedly the AD code isn't
the area I'm most familiar) there is a return SAM_PWD_CHANGE_PWD_IN_HISTORY
error which can be returned from check_password_restrictions() inside
the AD-DC code. check_password_restrictions() does check the
password history, but only on nt_hash and lm_hash values.
Can you give us more info on how you've tested this ?
More information about the samba-technical
mailing list