On Thu, Apr 7, 2022 at 9:32 AM ralph strebbing via samba
<samba at lists.samba.org> wrote:>
> Morning all,
>
> So doing the google-foo this morning, I'm coming up empty on a decent
> way to handle custom password filtering with Samba, so I figured I'd
> ask here how to approach this.
>
> What we wish to do is implement some way to prevent users from using
> certain passwords via the Windows Security Change Password screen. On
> a windows environment, from what I'm reading, this is achieved via
> Password Filters DLLs that you can install and register on the domain
> controller. So my question is how to go about implementing something
> like that on our Samba AD DC setup? Or is there another way to
> approach this problem entirely that I'm not aware of?
>
> Any advice is appreciated!
>
> Regards,
> Ralph
Hi Ralph,
I think you're looking for the "check password script" option in
smb.conf:
https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html#idm1543
Here's the "crackcheck" sample program to which the documentation
refers:
https://gitlab.com/samba-team/samba/-/tree/master/examples/auth/crackcheck
Here's a project of mine that checks samba passwords against the "Have
I been Pwned" database (offline):
https://gitlab.com/JonathonReinhart/passhashdb#use-with-samba
Hope this helps,
Jonathon