[Samba] password complexity bypasswd by check password script
Andrew Bartlett
abartlet at samba.org
Thu Feb 24 21:36:45 UTC 2022
On Thu, 2022-02-24 at 21:29 +0000, Rowland Penny via samba wrote:
> On Thu, 2022-02-24 at 16:16 -0500, Francis via samba wrote:
> > Hello,
> >
> > I was wondering why my DC allowed users to set weak passwords even
> > if
> > the
> > domain password policy requires "complexity".
> >
> > I'm using a "check password script" that verifies if the password
> > is
> > leaked
> > in the HIBP database. I found that defining a check password script
> > REPLACE
> > completely the built-in password complexity check.
>
> How are you creating users, using 'samba-tool user add' requires the
> username and password, so you could feed it the output of your 'check
> password script' and if this password didn't meet the domain password
> complexity, the user wouldn't be created.
>
> Rowland
Yes, we need a pile more context on how Samba is being configured,
which major mode (AD, NT4-DC) etc. While Samba tries to implement
common options across the suite, the backend handling is quite
different so these details matter.
In AD yes, we expect that if the administrator is specifying a script,
they want full control over the rules, that has been the behaviour
since it was implemented here:
commit 878fa6ef7de420ed7f28e95113bb76bf50879553
Author: Garming Sam <garming at catalyst.net.nz>
Date: Fri Apr 1 10:10:57 2016 +1300
check-password-script: Allow AD to execute these scripts
In contrast to source3, this is run as root and without
substitution.
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Otherwise there would be no way to turn off the simplistic rules that
prevent the modern passphrase "correct horse battery staple" style
passwords.
Andrew Bartlett
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba
Samba Development and Support, Catalyst IT - Expert Open Source
Solutions
More information about the samba
mailing list