Password history checks
Jérémie Courrèges-Anglas
jca at tranquil.it
Fri Dec 4 10:57:13 UTC 2015
Le 03/12/2015 19:12, Jeremy Allison a écrit :
> On Wed, Dec 02, 2015 at 03:50:16PM +0100, Jérémie Courrèges-Anglas wrote:
>>
>> Hi,
>>
>> a client recently asked us about the password policy settings they could
>> enforce in their Samba 4 AD domain.
>>
>> It *seems*
I'm glad I put stress on that word...
>> that one of their wishes can't be fulfilled right now: the
>> password history check[1]. This is supposed to prevent users from
>> reusing the same passwords. Samba 4 is able to store up to 24 previous
>> passwords, but it doesn't seem to check for password reuse when a user
>> changes his credentials.
>
> Hmmm. Looking at the code (admittedly the AD code isn't
> the area I'm most familiar) there is a return SAM_PWD_CHANGE_PWD_IN_HISTORY
> error which can be returned from check_password_restrictions() inside
> the AD-DC code. check_password_restrictions() does check the
> password history, but only on nt_hash and lm_hash values.
Yup.
> Can you give us more info on how you've tested this ?
The tests were broken. On a Windows 7 host served by a samba-4.3.1 AD
DC, whenever a domain user changes his password, the password history is
indeed checked and password reuse is disallowed.
Thanks a lot to Andrew and you for your answer, and apologies for the noise.
Cheers,
* (samba-tool domain passwordsettings set --complexity=on)
--
Jérémie Courrèges-Anglas - Tranquil IT Systems
Support Tranquil IT : 02.40.97.57.57 - technique at tranquil.it
http://www.tranquil-it-systems.fr - http://dev.tranquil.it
More information about the samba-technical
mailing list