[Samba] password complexity bypasswd by check password script

Andrew Bartlett abartlet at samba.org
Thu Feb 24 21:36:45 UTC 2022

On Thu, 2022-02-24 at 21:29 +0000, Rowland Penny via samba wrote:
> On Thu, 2022-02-24 at 16:16 -0500, Francis via samba wrote:
> > Hello,
> > 
> > I was wondering why my DC allowed users to set weak passwords even
> > if
> > the
> > domain password policy requires "complexity".
> > 
> > I'm using a "check password script" that verifies if the password
> > is
> > leaked
> > in the HIBP database. I found that defining a check password script
> > completely the built-in password complexity check. 
> How are you creating users, using 'samba-tool user add' requires the
> username and password, so you could feed it the output of your 'check
> password script' and if this password didn't meet the domain password
> complexity, the user wouldn't be created.
> Rowland

Yes, we need a pile more context on how Samba is being configured,
which major mode (AD, NT4-DC) etc.  While Samba tries to implement
common options across the suite, the backend handling is quite
different so these details matter.

In AD yes, we expect that if the administrator is specifying a script,
they want full control over the rules, that has been the behaviour
since it was implemented here:

commit 878fa6ef7de420ed7f28e95113bb76bf50879553
Author: Garming Sam <garming at catalyst.net.nz>
Date:   Fri Apr 1 10:10:57 2016 +1300

    check-password-script: Allow AD to execute these scripts
    In contrast to source3, this is run as root and without
    Signed-off-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

Otherwise there would be no way to turn off the simplistic rules that
prevent the modern passphrase "correct horse battery staple" style

Andrew Bartlett

Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source

More information about the samba mailing list