Password history checks

Jérémie Courrèges-Anglas jca at
Fri Dec 4 10:57:13 UTC 2015

Le 03/12/2015 19:12, Jeremy Allison a écrit :
> On Wed, Dec 02, 2015 at 03:50:16PM +0100, Jérémie Courrèges-Anglas wrote:
>> Hi,
>> a client recently asked us about the password policy settings they could
>> enforce in their Samba 4 AD domain.
>> It *seems*

I'm glad I put stress on that word...

>> that one of their wishes can't be fulfilled right now: the
>> password history check[1].  This is supposed to prevent users from
>> reusing the same passwords. Samba 4 is able to store up to 24 previous
>> passwords, but it doesn't seem to check for password reuse when a user
>> changes his credentials.
> Hmmm. Looking at the code (admittedly the AD code isn't
> the area I'm most familiar) there is a return SAM_PWD_CHANGE_PWD_IN_HISTORY
> error which can be returned from check_password_restrictions() inside
> the AD-DC code. check_password_restrictions() does check the
> password history, but only on nt_hash and lm_hash values.


> Can you give us more info on how you've tested this ?

The tests were broken.  On a Windows 7 host served by a samba-4.3.1 AD
DC, whenever a domain user changes his password, the password history is
indeed checked and password reuse is disallowed.

Thanks a lot to Andrew and you for your answer, and apologies for the noise.


* (samba-tool domain passwordsettings set --complexity=on)
Jérémie Courrèges-Anglas - Tranquil IT Systems
Support Tranquil IT : - technique at -

More information about the samba-technical mailing list