[Samba] Users unable to reset passwords
Jeffrey Walton
noloader at gmail.com
Tue Jun 3 04:55:50 UTC 2025
On Tue, Jun 3, 2025 at 12:05 AM Mark Foley via samba
<samba at lists.samba.org> wrote:
>
> On Mon Jun 2 23:28:45 2025 Jeffrey Walton <noloader at gmail.com> wrote:
> >
> > On Mon, Jun 2, 2025 at 5:34 PM Mark Foley via samba
> > <samba at lists.samba.org> wrote:
>
> [snip]
>
> > > 1) Users are set to "change password on next login" or when passwords expire on
> > > the Windows 11 workstations the users cannot reset their passwords. As sysadmin
> > > I have to do that through either ADUC or samba-tool.
> > >
>
> [snip]
> >
> > This is part of your problem. Antique password policies from the 1990s
> > based on numerology and not science.
> >
> > Don't force users to change their passwords at all. Never throw away a
> > perfectly good secret. Only have them change them the password if it
> > is suspected to be compromised.
> >
> > Forced password changes, and other useless crap like complexity
> > requirements, weakens security over time. As you grind on users every
> > quarter to change a strong password, users choose weaker and weaker
> > passwords that comply with policy until you are left with weak
> > passwords like P at ssword1.
> >
> > If you are interested in the science, then read Peter Gutmann's
> > Engineering Security (Chapter 7 PASSWORDS) or NIST SP800-63b, Digital
> > Identity Guidelines. Gutmann's book is particularly well cited with
> > security and usability studies, and it dispels all the myths, like
> > password rotation and complexity.
>
> [snip]
>
> I 110% agree with you! Unfortunately, this is "policy" beyond my control
> or power to suggest. To quote Steven Segal in "Under Siege", "I'm just
> a lowly, lowly cook!" We get audited by outside firms, vulnerability tested by
> Homeland Security, and monitored for prescribed security requirements by our
> Cyber-Insurance company. The password policy is just one of many, in some cases
> useless, things we have to do.
NIST SP800-63b-4 shipped in August 2024. It is mostly state of the
art. (There are a few gaps that still need to be addressed). Here is
Schneier's digest of the changes in SP800-63b-4:
<https://www.schneier.com/blog/archives/2024/09/nist-recommends-some-common-sense-password-rules.html>.
Password complexity and password rotation are SHALL NOT in
SP800-63b-4. If the organization is using the old NT policies and not
using the latest SP800-63b, then it is _NOT_ following best practices
and standards. If your auditor or insurance carrier is not wise to the
changes, then they need to be educated, not placated.
Your SP800-53a auditor from Homeland Security should be aware of
SP800-63b-4 changes. You should not have a problem with them.
One more place to look for a hardened Windows system is DISA's STIG,
<https://public.cyber.mil/stigs/>. I have not read the STIG on Windows
recently, so I don't know what it says about password policies
nowadays.
> I've created a number of intrusion detection and counter-measure scripts, running
> on the Linux servers, that shut down would be attackers in a matter of seconds.
> Attackers seem to seldom try realistic passwords, and a user's email is no part of
> their domain login.
>
> One of the best moves in this regard is to use Linux for all servers, including
> the Domain Controller. That is why, despite some of the irritations I've posted
> in this thread, I'll not be converting to a Windows based DC any time soon.
>
> Another important thing we do is backup up everything, offsite, daily -- and
> important suff every 20 minutes.
>
> Thanks for your feedback and I will definitely check out the Guttman book.
Gutmann's book is very good reading. I would call it essential reading
for anyone doing security design and architecture work.
Jeff
More information about the samba
mailing list