samba - Feb 2022 - password complexity bypasswd by check password script

On Thu, Feb 24, 2022 at 4:38 PM Francis via samba <samba at
lists.samba.org> wrote:
>
> Users are created with Windows RSAT tools and custom internal applications
> (ldap clients).
>
> Just to be clear, I'm talking about this samba configuration parameter:
> https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html#idm1542
>
> Now that I know this, I'll just implement a complexity check in my
script
> and the problem will be solved for me.
>
> I wrote this email because I'm not sure if this is a bug or feature.
Like I
> said, it can lead to failure to comply with security policies. If this is
> working as expected, I suggest editing the documentation to make it more
> obvious.
>
> Thank you!
>
> Le jeu. 24 f?vr. 2022 ? 16:29, Rowland Penny via samba <
> samba at lists.samba.org> a ?crit :
>
> > On Thu, 2022-02-24 at 16:16 -0500, Francis via samba wrote:
> > > Hello,
> > >
> > > I was wondering why my DC allowed users to set weak passwords
even if
> > > the
> > > domain password policy requires "complexity".
> > >
> > > I'm using a "check password script" that verifies
if the password is
> > > leaked
> > > in the HIBP database. I found that defining a check password
script
> > > REPLACE
> > > completely the built-in password complexity check.
I am also using the "check password script" option in smb.conf to
check passwords against the HIBP database
(https://gitlab.com/JonathonReinhart/passhashdb).

I, too, was completely unaware that using "check password script"
bypasses the built-in password complexity checks.  Andrew, I
understand your rationale, and I agree with Francis that a
documentation update would be very welcome.

Jonathon

On Thu, 2022-02-24 at 16:50 -0500, Jonathon Reinhart via samba
wrote:
> On Thu, Feb 24, 2022 at 4:38 PM Francis via samba <
> samba at lists.samba.org> wrote:
> > Users are created with Windows RSAT tools and custom internal
> > applications
> > (ldap clients).
> > 
> > Just to be clear, I'm talking about this samba configuration
> > parameter:
> >
https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html#idm1542
> > 
> > Now that I know this, I'll just implement a complexity check in my
> > script
> > and the problem will be solved for me.
> > 
> > I wrote this email because I'm not sure if this is a bug or
> > feature. Like I
> > said, it can lead to failure to comply with security policies. If
> > this is
> > working as expected, I suggest editing the documentation to make it
> > more
> > obvious.
> > 
> > Thank you!
> > 
> > Le jeu. 24 f?vr. 2022 ? 16:29, Rowland Penny via samba <
> > samba at lists.samba.org> a ?crit :
> > 
> > > On Thu, 2022-02-24 at 16:16 -0500, Francis via samba wrote:
> > > > Hello,
> > > > 
> > > > I was wondering why my DC allowed users to set weak
passwords
> > > > even if
> > > > the
> > > > domain password policy requires "complexity".
> > > > 
> > > > I'm using a "check password script" that
verifies if the
> > > > password is
> > > > leaked
> > > > in the HIBP database. I found that defining a check password
> > > > script
> > > > REPLACE
> > > > completely the built-in password complexity check.
> 
> I am also using the "check password script" option in smb.conf to
> check passwords against the HIBP database
> (https://gitlab.com/JonathonReinhart/passhashdb).
> 
> I, too, was completely unaware that using "check password script"
> bypasses the built-in password complexity checks.  Andrew, I
> understand your rationale, and I agree with Francis that a
> documentation update would be very welcome.
So please prepare the documentation patch, and also please write update
a wiki page on using the HIBP database.

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions