[Samba] password complexity bypasswd by check password script

Andrew Bartlett abartlet at samba.org
Thu Feb 24 21:46:09 UTC 2022 

A patch to say:

When Samba is acting as an AD DC, the "check password script" is run
only on user (not machine) accounts that require complex passwords
under the password policy and replaces the default password quality
rules.  This can be helpful to permit long passphrases instead of 
'complex' short passwords.

  The default rules in the AD DC are that passwords must contain
characters from three of the following five
  categories:

   - Uppercase characters of European languages (A through Z, with
     diacritic marks, Greek and Cyrillic characters)
   - Lowercase characters of European languages (a through z, sharp-s,
     with diacritic marks, Greek and Cyrillic characters)
   - Base 10 digits (0 through 9)
   - Nonalphanumeric characters: ~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/
   - Any Unicode character that is categorized as an alphabetic
character
     but is not uppercase or lowercase. This includes Unicode
characters
     from Asian languages.

Would be well accepted.  That text is from the comment in
genrand_util.c.

Andrew Bartlett

On Thu, 2022-02-24 at 16:37 -0500, Francis via samba wrote:
> Users are created with Windows RSAT tools and custom internal
> applications
> (ldap clients).
> 
> Just to be clear, I'm talking about this samba configuration
> parameter:
> https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html#idm1542
> 
> Now that I know this, I'll just implement a complexity check in my
> script
> and the problem will be solved for me.
> 
> I wrote this email because I'm not sure if this is a bug or feature.
> Like I
> said, it can lead to failure to comply with security policies. If
> this is
> working as expected, I suggest editing the documentation to make it
> more
> obvious.
> 
> Thank you!
> 
> Le jeu. 24 févr. 2022 à 16:29, Rowland Penny via samba <
> samba at lists.samba.org> a écrit :
> 
> > On Thu, 2022-02-24 at 16:16 -0500, Francis via samba wrote:
> > > Hello,
> > > 
> > > I was wondering why my DC allowed users to set weak passwords
> > > even if
> > > the
> > > domain password policy requires "complexity".
> > > 
> > > I'm using a "check password script" that verifies if the password
> > > is
> > > leaked
> > > in the HIBP database. I found that defining a check password
> > > script
> > > REPLACE
> > > completely the built-in password complexity check.
> > 
> > How are you creating users, using 'samba-tool user add' requires
> > the
> > username and password, so you could feed it the output of your
> > 'check
> > password script' and if this password didn't meet the domain
> > password
> > complexity, the user wouldn't be created.
> > 
> > Rowland
> > 
> > 
> > 
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> > 
-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions

More information about the samba mailing list