[Samba] Password complexity checks and local users...

Rowland Penny rpenny at samba.org
Thu Jun 21 08:49:14 UTC 2018 

On Thu, 21 Jun 2018 09:55:59 +0200
Marco Gaiarin via samba <samba at lists.samba.org> wrote:

> 
> AFAI've understood 'samba-tool domain passwordsettings' set domain
> password settings, while the GPO equivalent settings is for the client
> (windows client and server os).
> 
> Currently i've enabled password complexity checks server side:
> 
>  root at vdcsv1:~# samba-tool domain passwordsettings show
>  Password informations for domain 'DC=ad,DC=fvg,DC=lnf,DC=it'
>  
>  Password complexity: on
>  Store plaintext passwords: off
>  Password history length: 5
>  Minimum password length: 8
>  Minimum password age (days): 0
>  Maximum password age (days): 90
>  Account lockout duration (mins): 30
>  Account lockout threshold (attempts): 5
>  Reset account lockout after (mins): 5
> 
> mostly because i need custom policy (eg, a 'check password script').
> 
> 
> But i've disabled them in GPO, but still local users (eg,
> Administrator) seems have that policy applied:
> 
> 	net user Administrator kaaPxvqEXW
> 	La password non soddisfa i requisiti dei Criteri di password.
> Verificare la lunghezza minima della password, la complessit\205
> della password e i requisiti della cronologia della password.
> Ulteriori informazioni sono disponibili digitando NET HELPMSG 2245.
> 
> 'net user Administrator' does not impact on 'Password history length'
> (eg, i can set the same password), so the only things i can hit is the
> 'Password complexity', because the password does not contain
> punctuation.

It doesn't have to contain punctuation:

The password contains characters from three of the following categories:

    Uppercase letters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters)
    Lowercase letters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters)
    Base 10 digits (0 through 9)
    Non-alphanumeric characters (special characters): (~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/) Currency symbols such as the Euro or British Pound are not counted as special characters for this policy setting.
    Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages.

So, as I am sure you can see, 'kaaPxvqEXW' only passes the first two.
It contains uppercase and lowercase, but neither numbers or punctuation.

I think you need to look very closely at your 'winadminpassword'
script, it should only produce passwords that meet your set complexity,
perhaps tie it into obtaining the complexity set in AD.

Rowland

> 
> Nota that password like that are generated with a script
> ('winadminpassword'), and when the generated password have a
> punctuation char, windows get the password as expected.
> 
> 
> Someone have some clue?! Thanks.
>

More information about the samba mailing list