[Samba] Restrict certain words in passwords

Carlos carlos.hollow at gmail.com
Tue May 24 22:40:26 UTC 2022 

Yes, my wheels are over password complexity enabled(don't know how to 
disable for some accounts).

amba-tool domain passwordsettings show
Password information for domain 'DC=XXX'

Password complexity: on
Store plaintext passwords: off
Password history length: 24
Minimum password length: 7
Minimum password age (days): 0
Maximum password age (days): 180
Account lockout duration (mins): 30
Account lockout threshold (attempts): 0
Reset account lockout after (mins): 30


Regards;


Em 24/05/2022 19:27, Andrew Bartlett escreveu:
> Note that the script will only operate on the AD DC for accounts that
> are required to have password complexity.  If those AD accounts are not
> under such a domain-wide or fine-grained password policy it won't
> apply.
>
> The script is tested, so I think this is a configuration issue, so
> please continue to investigate.  We will also accept improvements to
> the documentation and wiki.
>
> Andrew Bartlett
>
> On Tue, 2022-05-24 at 19:20 -0300, Carlos via samba wrote:
>> HI
>>
>> -Thank you for the informations.
>>
>>
>>   From what I've seen the script doesn't run when the password is changed
>> by "Windows", which is a problem.
>>
>> My idea would be just a custom blacklist of words that could not contain
>> in the password....[
>>
>> Regards;
>>
>> Em 19/05/2022 19:33, Jonathon Reinhart escreveu:
>>> On Thu, May 19, 2022 at 7:59 AM Carlos Alberto Panozzo Cunha via samba
>>> <samba at lists.samba.org> wrote:
>>>> Hi!
>>>>
>>>> Sorry, I couldn't understand what you meant, could you explain again? :-D
>>>>
>>>> Regards;
>>>>
>>>>
>>>> Em ter., 17 de mai. de 2022 às 18:12, Andrew Bartlett <abartlet at samba.org>
>>>> escreveu:
>>>>
>>>>> On Tue, 2022-05-17 at 16:25 -0300, Carlos via samba wrote:
>>>>>> Hi. I wonder, if is possivel restrict certain words in password of
>>>>>> users
>>>>>> ? To dont permissionded user for exemple set "XXXX" in your
>>>>>> password,
>>>>>> with "XXX1" or "XXX@" or "123XXX"...
>>>>> See 'check password script'.  Some have set this up to check against
>>>>> the master list of known public passwords from haveibeenpwned for
>>>>> example.  Be aware that this overrides the other complexity checks (to
>>>>> allow you to do that, if you need, eg to allow a passphrase).
>>>>>
>>>>> Andrew Bartlett
>>> Carlos,
>>>
>>> See this recent conversation:
>>> https://lists.samba.org/archive/samba/2022-April/240363.html
>>>
>>> However, there was some doubt as to whether or not it always works. I
>>> haven't had time to troubleshoot this.
>>>
>>> Jonathon

More information about the samba mailing list