samba - Feb 2022 - password complexity bypasswd by check password script

On Thu, 2022-02-24 at 16:16 -0500, Francis via samba
wrote:
> Hello,
> 
> I was wondering why my DC allowed users to set weak passwords even if
> the
> domain password policy requires "complexity".
> 
> I'm using a "check password script" that verifies if the
password is
> leaked
> in the HIBP database. I found that defining a check password script
> REPLACE
> completely the built-in password complexity check. 
How are you creating users, using 'samba-tool user add' requires the
username and password, so you could feed it the output of your 'check
password script' and if this password didn't meet the domain password
complexity, the user wouldn't be created.

Rowland

On Thu, 2022-02-24 at 21:29 +0000, Rowland Penny via samba
wrote:
> On Thu, 2022-02-24 at 16:16 -0500, Francis via samba wrote:
> > Hello,
> > 
> > I was wondering why my DC allowed users to set weak passwords even
> > if
> > the
> > domain password policy requires "complexity".
> > 
> > I'm using a "check password script" that verifies if the
password
> > is
> > leaked
> > in the HIBP database. I found that defining a check password script
> > REPLACE
> > completely the built-in password complexity check. 
> 
> How are you creating users, using 'samba-tool user add' requires
the
> username and password, so you could feed it the output of your 'check
> password script' and if this password didn't meet the domain
password
> complexity, the user wouldn't be created.
> 
> Rowland
Yes, we need a pile more context on how Samba is being configured,
which major mode (AD, NT4-DC) etc.  While Samba tries to implement
common options across the suite, the backend handling is quite
different so these details matter.

In AD yes, we expect that if the administrator is specifying a script,
they want full control over the rules, that has been the behaviour
since it was implemented here:

commit 878fa6ef7de420ed7f28e95113bb76bf50879553
Author: Garming Sam <garming at catalyst.net.nz>
Date:   Fri Apr 1 10:10:57 2016 +1300

    check-password-script: Allow AD to execute these scripts
    
    In contrast to source3, this is run as root and without
substitution.
    
    Signed-off-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

Otherwise there would be no way to turn off the simplistic rules that
prevent the modern passphrase "correct horse battery staple" style
passwords. 

Andrew Bartlett

-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions

Users are created with Windows RSAT tools and custom internal applications
(ldap clients).

Just to be clear, I'm talking about this samba configuration parameter:
https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html#idm1542

Now that I know this, I'll just implement a complexity check in my script
and the problem will be solved for me.

I wrote this email because I'm not sure if this is a bug or feature. Like I
said, it can lead to failure to comply with security policies. If this is
working as expected, I suggest editing the documentation to make it more
obvious.

Thank you!

Le jeu. 24 f?vr. 2022 ? 16:29, Rowland Penny via samba <
samba at lists.samba.org> a ?crit :
> On Thu, 2022-02-24 at 16:16 -0500, Francis via samba wrote:
> > Hello,
> >
> > I was wondering why my DC allowed users to set weak passwords even if
> > the
> > domain password policy requires "complexity".
> >
> > I'm using a "check password script" that verifies if the
password is
> > leaked
> > in the HIBP database. I found that defining a check password script
> > REPLACE
> > completely the built-in password complexity check.
>
> How are you creating users, using 'samba-tool user add' requires
the
> username and password, so you could feed it the output of your 'check
> password script' and if this password didn't meet the domain
password
> complexity, the user wouldn't be created.
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>