[Samba] password complexity bypasswd by check password script

Francis francisd at gmail.com
Thu Feb 24 21:37:34 UTC 2022


Users are created with Windows RSAT tools and custom internal applications
(ldap clients).

Just to be clear, I'm talking about this samba configuration parameter:
https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html#idm1542

Now that I know this, I'll just implement a complexity check in my script
and the problem will be solved for me.

I wrote this email because I'm not sure if this is a bug or feature. Like I
said, it can lead to failure to comply with security policies. If this is
working as expected, I suggest editing the documentation to make it more
obvious.

Thank you!

Le jeu. 24 févr. 2022 à 16:29, Rowland Penny via samba <
samba at lists.samba.org> a écrit :

> On Thu, 2022-02-24 at 16:16 -0500, Francis via samba wrote:
> > Hello,
> >
> > I was wondering why my DC allowed users to set weak passwords even if
> > the
> > domain password policy requires "complexity".
> >
> > I'm using a "check password script" that verifies if the password is
> > leaked
> > in the HIBP database. I found that defining a check password script
> > REPLACE
> > completely the built-in password complexity check.
>
> How are you creating users, using 'samba-tool user add' requires the
> username and password, so you could feed it the output of your 'check
> password script' and if this password didn't meet the domain password
> complexity, the user wouldn't be created.
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


More information about the samba mailing list