Andrew Bartlett
2022-Feb-24 21:54 UTC
[Samba] password complexity bypasswd by check password script
On Thu, 2022-02-24 at 16:50 -0500, Jonathon Reinhart via samba wrote:> On Thu, Feb 24, 2022 at 4:38 PM Francis via samba < > samba at lists.samba.org> wrote: > > Users are created with Windows RSAT tools and custom internal > > applications > > (ldap clients). > > > > Just to be clear, I'm talking about this samba configuration > > parameter: > > https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html#idm1542 > > > > Now that I know this, I'll just implement a complexity check in my > > script > > and the problem will be solved for me. > > > > I wrote this email because I'm not sure if this is a bug or > > feature. Like I > > said, it can lead to failure to comply with security policies. If > > this is > > working as expected, I suggest editing the documentation to make it > > more > > obvious. > > > > Thank you! > > > > Le jeu. 24 f?vr. 2022 ? 16:29, Rowland Penny via samba < > > samba at lists.samba.org> a ?crit : > > > > > On Thu, 2022-02-24 at 16:16 -0500, Francis via samba wrote: > > > > Hello, > > > > > > > > I was wondering why my DC allowed users to set weak passwords > > > > even if > > > > the > > > > domain password policy requires "complexity". > > > > > > > > I'm using a "check password script" that verifies if the > > > > password is > > > > leaked > > > > in the HIBP database. I found that defining a check password > > > > script > > > > REPLACE > > > > completely the built-in password complexity check. > > I am also using the "check password script" option in smb.conf to > check passwords against the HIBP database > (https://gitlab.com/JonathonReinhart/passhashdb). > > I, too, was completely unaware that using "check password script" > bypasses the built-in password complexity checks. Andrew, I > understand your rationale, and I agree with Francis that a > documentation update would be very welcome.So please prepare the documentation patch, and also please write update a wiki page on using the HIBP database. Thanks, Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst IT - Expert Open Source Solutions
Jonathon Reinhart
2022-Feb-24 22:02 UTC
[Samba] password complexity bypasswd by check password script
On Thu, Feb 24, 2022 at 4:54 PM Andrew Bartlett <abartlet at samba.org> wrote:> > On Thu, 2022-02-24 at 16:50 -0500, Jonathon Reinhart via samba wrote: > > > > I am also using the "check password script" option in smb.conf to > > check passwords against the HIBP database > > (https://gitlab.com/JonathonReinhart/passhashdb). > > > > I, too, was completely unaware that using "check password script" > > bypasses the built-in password complexity checks. Andrew, I > > understand your rationale, and I agree with Francis that a > > documentation update would be very welcome. > > So please prepare the documentation patch, and also please write update > a wiki page on using the HIBP database.This should be easy enough. Andrew, I could look in the code, but can you confirm that this only replaces the *complexity* and not the minimum length requirements? Francis, can you share what solution you are using for checking against HIBP? I'm fairly happy with my solution; it is very fast due to the binary-search algorithm. However, I'm not thrilled with the need for a wrapper script, as I indicate here: https://gitlab.com/JonathonReinhart/passhashdb/-/tree/master#use-with-samba Perhaps someone has a better idea for dealing with the database path and log path. I was trying to avoid another config file, but I guess the wrapper script serves the same purpose... Jonathon