[Samba] password complexity bypasswd by check password script

Andrew Bartlett abartlet at samba.org
Thu Feb 24 21:54:07 UTC 2022 

On Thu, 2022-02-24 at 16:50 -0500, Jonathon Reinhart via samba wrote:
> On Thu, Feb 24, 2022 at 4:38 PM Francis via samba <
> samba at lists.samba.org> wrote:
> > Users are created with Windows RSAT tools and custom internal
> > applications
> > (ldap clients).
> > 
> > Just to be clear, I'm talking about this samba configuration
> > parameter:
> > https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html#idm1542
> > 
> > Now that I know this, I'll just implement a complexity check in my
> > script
> > and the problem will be solved for me.
> > 
> > I wrote this email because I'm not sure if this is a bug or
> > feature. Like I
> > said, it can lead to failure to comply with security policies. If
> > this is
> > working as expected, I suggest editing the documentation to make it
> > more
> > obvious.
> > 
> > Thank you!
> > 
> > Le jeu. 24 févr. 2022 à 16:29, Rowland Penny via samba <
> > samba at lists.samba.org> a écrit :
> > 
> > > On Thu, 2022-02-24 at 16:16 -0500, Francis via samba wrote:
> > > > Hello,
> > > > 
> > > > I was wondering why my DC allowed users to set weak passwords
> > > > even if
> > > > the
> > > > domain password policy requires "complexity".
> > > > 
> > > > I'm using a "check password script" that verifies if the
> > > > password is
> > > > leaked
> > > > in the HIBP database. I found that defining a check password
> > > > script
> > > > REPLACE
> > > > completely the built-in password complexity check.
> 
> I am also using the "check password script" option in smb.conf to
> check passwords against the HIBP database
> (https://gitlab.com/JonathonReinhart/passhashdb).
> 
> I, too, was completely unaware that using "check password script"
> bypasses the built-in password complexity checks.  Andrew, I
> understand your rationale, and I agree with Francis that a
> documentation update would be very welcome.

So please prepare the documentation patch, and also please write update
a wiki page on using the HIBP database.

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions

More information about the samba mailing list