[PATCH] Implement the check password script functionality in AD
Stefan Metzmacher
metze at samba.org
Mon Jun 20 09:38:56 UTC 2016
Hi Garming,
> While I definitely agree that it's the way to go for syncing, it seems
> prohibitive when all someone wishes to do is exclude a specific character
> from their passwords. I can understand that you'd feel strongly about
> this, and that people should not be using this for any sync actions. Is
> the check password script parameter parameter actually implemented any
> better in the source3 code?
Yes, the samr server is the only place that enforces/runs the script.
And that's the only way a user can remotely change the password.
There we check the complexity and then call pdb_update_sam_account().
But on an AD DC we handle password changes via LDAP via the ldb module
stack.
> Otherwise, it only matches and I think has an
> additional imposed time limit.
>
> It always seems that the simplest things are the hardest to get right. So
> it goes...
It seems so...
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20160620/9b8bb56d/signature.sig>
More information about the samba-technical
mailing list