samba - Feb 2022 - password complexity bypasswd by check password script

Hello,

I was wondering why my DC allowed users to set weak passwords even if the
domain password policy requires "complexity".

I'm using a "check password script" that verifies if the password
is leaked
in the HIBP database. I found that defining a check password script REPLACE
completely the built-in password complexity check. The documentation is not
clear on this subject and I wonder if this is a bug or a feature. If this
is indeed a "feature", I suggest editing the documentation to make it
more
clear as this can lead to failure to meet security policies.

Thanks!

-- 
Francis

On Thu, 2022-02-24 at 16:16 -0500, Francis via samba
wrote:
> Hello,
> 
> I was wondering why my DC allowed users to set weak passwords even if
> the
> domain password policy requires "complexity".
> 
> I'm using a "check password script" that verifies if the
password is
> leaked
> in the HIBP database. I found that defining a check password script
> REPLACE
> completely the built-in password complexity check. 
How are you creating users, using 'samba-tool user add' requires the
username and password, so you could feed it the output of your 'check
password script' and if this password didn't meet the domain password
complexity, the user wouldn't be created.

Rowland