[PATCH] Implement the check password script functionality in AD
metze at samba.org
Mon Jun 20 09:38:56 UTC 2016
> While I definitely agree that it's the way to go for syncing, it seems
> prohibitive when all someone wishes to do is exclude a specific character
> from their passwords. I can understand that you'd feel strongly about
> this, and that people should not be using this for any sync actions. Is
> the check password script parameter parameter actually implemented any
> better in the source3 code?
Yes, the samr server is the only place that enforces/runs the script.
And that's the only way a user can remotely change the password.
There we check the complexity and then call pdb_update_sam_account().
But on an AD DC we handle password changes via LDAP via the ldb module
> Otherwise, it only matches and I think has an
> additional imposed time limit.
> It always seems that the simplest things are the hardest to get right. So
> it goes...
It seems so...
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 836 bytes
Desc: OpenPGP digital signature
More information about the samba-technical