[Samba] password complexity bypasswd by check password script
Andrew Bartlett
abartlet at samba.org
Thu Feb 24 21:54:07 UTC 2022
On Thu, 2022-02-24 at 16:50 -0500, Jonathon Reinhart via samba wrote:
> On Thu, Feb 24, 2022 at 4:38 PM Francis via samba <
> samba at lists.samba.org> wrote:
> > Users are created with Windows RSAT tools and custom internal
> > applications
> > (ldap clients).
> >
> > Just to be clear, I'm talking about this samba configuration
> > parameter:
> > https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html#idm1542
> >
> > Now that I know this, I'll just implement a complexity check in my
> > script
> > and the problem will be solved for me.
> >
> > I wrote this email because I'm not sure if this is a bug or
> > feature. Like I
> > said, it can lead to failure to comply with security policies. If
> > this is
> > working as expected, I suggest editing the documentation to make it
> > more
> > obvious.
> >
> > Thank you!
> >
> > Le jeu. 24 févr. 2022 à 16:29, Rowland Penny via samba <
> > samba at lists.samba.org> a écrit :
> >
> > > On Thu, 2022-02-24 at 16:16 -0500, Francis via samba wrote:
> > > > Hello,
> > > >
> > > > I was wondering why my DC allowed users to set weak passwords
> > > > even if
> > > > the
> > > > domain password policy requires "complexity".
> > > >
> > > > I'm using a "check password script" that verifies if the
> > > > password is
> > > > leaked
> > > > in the HIBP database. I found that defining a check password
> > > > script
> > > > REPLACE
> > > > completely the built-in password complexity check.
>
> I am also using the "check password script" option in smb.conf to
> check passwords against the HIBP database
> (https://gitlab.com/JonathonReinhart/passhashdb).
>
> I, too, was completely unaware that using "check password script"
> bypasses the built-in password complexity checks. Andrew, I
> understand your rationale, and I agree with Francis that a
> documentation update would be very welcome.
So please prepare the documentation patch, and also please write update
a wiki page on using the HIBP database.
Thanks,
Andrew Bartlett
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba
Samba Development and Support, Catalyst IT - Expert Open Source
Solutions
More information about the samba
mailing list