[PATCH] Implement the check password script functionality in AD

Stefan Metzmacher metze at samba.org
Mon Jun 20 09:38:56 UTC 2016

Hi Garming,

> While I definitely agree that it's the way to go for syncing, it seems
> prohibitive when all someone wishes to do is exclude a specific character
> from their passwords. I can understand that you'd feel strongly about
> this, and that people should not be using this for any sync actions. Is
> the check password script parameter parameter actually implemented any
> better in the source3 code?

Yes, the samr server is the only place that enforces/runs the script.
And that's the only way a user can remotely change the password.

There we check the complexity and then call pdb_update_sam_account().

But on an AD DC we handle password changes via LDAP via the ldb module

> Otherwise, it only matches and I think has an
> additional imposed time limit.
> It always seems that the simplest things are the hardest to get right. So
> it goes...

It seems so...


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20160620/9b8bb56d/signature.sig>

More information about the samba-technical mailing list