[Samba] Restrict certain words in passwords

Andrew Bartlett abartlet at samba.org
Tue May 24 22:27:30 UTC 2022


Note that the script will only operate on the AD DC for accounts that
are required to have password complexity.  If those AD accounts are not
under such a domain-wide or fine-grained password policy it won't
apply.

The script is tested, so I think this is a configuration issue, so
please continue to investigate.  We will also accept improvements to
the documentation and wiki.

Andrew Bartlett

On Tue, 2022-05-24 at 19:20 -0300, Carlos via samba wrote:
> HI
> 
> -Thank you for the informations.
> 
> 
>  From what I've seen the script doesn't run when the password is changed 
> by "Windows", which is a problem.
> 
> My idea would be just a custom blacklist of words that could not contain 
> in the password....[
> 
> Regards;
> 
> Em 19/05/2022 19:33, Jonathon Reinhart escreveu:
> > On Thu, May 19, 2022 at 7:59 AM Carlos Alberto Panozzo Cunha via samba
> > <samba at lists.samba.org> wrote:
> > > Hi!
> > > 
> > > Sorry, I couldn't understand what you meant, could you explain again? :-D
> > > 
> > > Regards;
> > > 
> > > 
> > > Em ter., 17 de mai. de 2022 às 18:12, Andrew Bartlett <abartlet at samba.org>
> > > escreveu:
> > > 
> > > > On Tue, 2022-05-17 at 16:25 -0300, Carlos via samba wrote:
> > > > > Hi. I wonder, if is possivel restrict certain words in password of
> > > > > users
> > > > > ? To dont permissionded user for exemple set "XXXX" in your
> > > > > password,
> > > > > with "XXX1" or "XXX@" or "123XXX"...
> > > > See 'check password script'.  Some have set this up to check against
> > > > the master list of known public passwords from haveibeenpwned for
> > > > example.  Be aware that this overrides the other complexity checks (to
> > > > allow you to do that, if you need, eg to allow a passphrase).
> > > > 
> > > > Andrew Bartlett
> > Carlos,
> > 
> > See this recent conversation:
> > https://lists.samba.org/archive/samba/2022-April/240363.html
> > 
> > However, there was some doubt as to whether or not it always works. I
> > haven't had time to troubleshoot this.
> > 
> > Jonathon
> 

-- 
Andrew Bartlett (he/him)        https://samba.org/~abartlet/
Samba Team Member (since 2001)  https://samba.org
Samba Developer, Catalyst IT    https://catalyst.net.nz/services/samba




More information about the samba mailing list