[Samba] 'check password script' and Join...

Andrew Bartlett abartlet at samba.org
Tue Oct 24 17:55:47 UTC 2017

On Tue, 2017-10-24 at 18:07 +0200, Marco Gaiarin via samba wrote:
> Mandi! Rowland Penny via samba
>   In chel di` si favelave...
> > The password settings are related to the DC and by default you cannot
> > set or change a password if it isn't complex enough
> Ok.
> > , you do not need to use an external script.
> Ahem, someone out there need it. ;-)
> This mean that, if i keep a 'check password script', i could also hit
> some trubles on, eg, workstation join or the renew of the machine
> password?


	/* Only non-trust accounts have restrictions (possibly this
test is the
	 * wrong way around, but we like to be restrictive if possible
	io->u.restrictions = !(io->u.userAccountControl


	if (io->u.restrictions == 0) {
		/* FIXME: Is this right? */
		return LDB_SUCCESS;

The script won't be run for machine accounts. 

> > Problem with using GPOs for password complexity, GPOs do not apply to
> > Samba DCs.
> Ok, i mean that: i can setup password policies on GPOs, but the DCs
> cannot ''enforce'' it.

The settings don't apply from the GPO into the AD DC yet.  I am
reviewing patches to fix that however. 

> So, trying to summarize:
> a) 'check password script' are called for every password change, also
>  the ''system'' one (join, ...); this can be a potential source of
> trouble.

No, just for users.  That could include 'service accounts' created by
other software, but not actual machine accounts. 

> b) password policies defined with 'samba-tool domain passwordsettings
>  set' are ''per DCs'', they not get ''replicated''.

No, they are replicated.

> c) if you need to enforce password policies in a domain, you have to
>  set password policies for every DCs.

No, the settings are in the replicated sam.ldb. 

> Right? Thanks.
> PS: and domain members? How they enforce passwords policies? Directly
>   on AD DC, i suppose... but i'll ask. ;-)

They don't ask the DC for the choice of local user passwords as far as
I'm aware.  There is an API to check if a password is OK (SAMR
ValidatePassword), but I've not seen it called for that, but I've also
not really been looking. 

Thanks for asking for clarification, I hope this puts you at ease.

Andrew Bartlett
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list