Password history checks
jra at samba.org
Fri Dec 4 17:07:18 UTC 2015
On Fri, Dec 04, 2015 at 11:57:13AM +0100, Jérémie Courrèges-Anglas wrote:
> Le 03/12/2015 19:12, Jeremy Allison a écrit :
> > On Wed, Dec 02, 2015 at 03:50:16PM +0100, Jérémie Courrèges-Anglas wrote:
> >> Hi,
> >> a client recently asked us about the password policy settings they could
> >> enforce in their Samba 4 AD domain.
> >> It *seems*
> I'm glad I put stress on that word...
> >> that one of their wishes can't be fulfilled right now: the
> >> password history check. This is supposed to prevent users from
> >> reusing the same passwords. Samba 4 is able to store up to 24 previous
> >> passwords, but it doesn't seem to check for password reuse when a user
> >> changes his credentials.
> > Hmmm. Looking at the code (admittedly the AD code isn't
> > the area I'm most familiar) there is a return SAM_PWD_CHANGE_PWD_IN_HISTORY
> > error which can be returned from check_password_restrictions() inside
> > the AD-DC code. check_password_restrictions() does check the
> > password history, but only on nt_hash and lm_hash values.
> > Can you give us more info on how you've tested this ?
> The tests were broken. On a Windows 7 host served by a samba-4.3.1 AD
> DC, whenever a domain user changes his password, the password history is
> indeed checked and password reuse is disallowed.
> Thanks a lot to Andrew and you for your answer, and apologies for the noise.
Oh, I'm so glad it works for you ! Nice to hear
good news for a change :-).
More information about the samba-technical