[Samba] password complexity bypasswd by check password script
Jonathon Reinhart
jonathon.reinhart at gmail.com
Thu Feb 24 21:50:52 UTC 2022
On Thu, Feb 24, 2022 at 4:38 PM Francis via samba <samba at lists.samba.org> wrote:
>
> Users are created with Windows RSAT tools and custom internal applications
> (ldap clients).
>
> Just to be clear, I'm talking about this samba configuration parameter:
> https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html#idm1542
>
> Now that I know this, I'll just implement a complexity check in my script
> and the problem will be solved for me.
>
> I wrote this email because I'm not sure if this is a bug or feature. Like I
> said, it can lead to failure to comply with security policies. If this is
> working as expected, I suggest editing the documentation to make it more
> obvious.
>
> Thank you!
>
> Le jeu. 24 févr. 2022 à 16:29, Rowland Penny via samba <
> samba at lists.samba.org> a écrit :
>
> > On Thu, 2022-02-24 at 16:16 -0500, Francis via samba wrote:
> > > Hello,
> > >
> > > I was wondering why my DC allowed users to set weak passwords even if
> > > the
> > > domain password policy requires "complexity".
> > >
> > > I'm using a "check password script" that verifies if the password is
> > > leaked
> > > in the HIBP database. I found that defining a check password script
> > > REPLACE
> > > completely the built-in password complexity check.
I am also using the "check password script" option in smb.conf to
check passwords against the HIBP database
(https://gitlab.com/JonathonReinhart/passhashdb).
I, too, was completely unaware that using "check password script"
bypasses the built-in password complexity checks. Andrew, I
understand your rationale, and I agree with Francis that a
documentation update would be very welcome.
Jonathon
More information about the samba
mailing list