[Samba] Users unable to reset passwords

Mark Foley mfoley at novatec-inc.com
Tue Jun 3 04:04:41 UTC 2025 

On Mon Jun  2 23:28:45 2025 Jeffrey Walton <noloader at gmail.com> wrote:
>
> On Mon, Jun 2, 2025 at 5:34 PM Mark Foley via samba
> <samba at lists.samba.org> wrote:

[snip]

> > 1) Users are set to "change password on next login" or when passwords expire on
> > the Windows 11 workstations the users cannot reset their passwords.  As sysadmin
> > I have to do that through either ADUC or samba-tool.
> >

[snip]
>
> This is part of your problem. Antique password policies from the 1990s
> based on numerology and not science.
>
> Don't force users to change their passwords at all. Never throw away a
> perfectly good secret. Only have them change them the password if it
> is suspected to be compromised.
>
> Forced password changes, and other useless crap like complexity
> requirements, weakens security over time. As you grind on users every
> quarter to change a strong password, users choose weaker and weaker
> passwords that comply with policy until you are left with weak
> passwords like P at ssword1.
>
> If you are interested in the science, then read Peter Gutmann's
> Engineering Security (Chapter 7 PASSWORDS) or NIST SP800-63b, Digital
> Identity Guidelines. Gutmann's book is particularly well cited with
> security and usability studies, and it dispels all the myths, like
> password rotation and complexity.
>
> Jeff

[snip]

I 110% agree with you! Unfortunately, this is "policy" beyond my control
or power to suggest. To quote Steven Segal in "Under Siege", "I'm just
a lowly, lowly cook!" We get audited by outside firms, vulnerability tested by
Homeland Security, and monitored for prescribed security requirements by our
Cyber-Insurance company. The password policy is just one of many, in some cases
useless, things we have to do. 

I've created a number of intrusion detection and counter-measure scripts, running
on the Linux servers, that shut down would be attackers in a matter of seconds.
Attackers seem to seldom try realistic passwords, and a user's email is no part of
their domain login.

One of the best moves in this regard is to use Linux for all servers, including
the Domain Controller. That is why, despite some of the irritations I've posted
in this thread, I'll not be converting to a Windows based DC any time soon.

Another important thing we do is backup up everything, offsite, daily -- and
important suff every 20 minutes.

Thanks for your feedback and I will definitely check out the Guttman book.

--Mark

More information about the samba mailing list