samba - May 2022 - Restrict certain words in passwords

HI

-Thank you for the informations.


 From what I've seen the script doesn't run when the password is changed
by "Windows", which is a problem.

My idea would be just a custom blacklist of words that could not contain 
in the password....[

Regards;

Em 19/05/2022 19:33, Jonathon Reinhart escreveu:
> On Thu, May 19, 2022 at 7:59 AM Carlos Alberto Panozzo Cunha via samba
> <samba at lists.samba.org> wrote:
>> Hi!
>>
>> Sorry, I couldn't understand what you meant, could you explain
again? :-D
>>
>> Regards;
>>
>>
>> Em ter., 17 de mai. de 2022 ?s 18:12, Andrew Bartlett <abartlet at
samba.org>
>> escreveu:
>>
>>> On Tue, 2022-05-17 at 16:25 -0300, Carlos via samba wrote:
>>>> Hi. I wonder, if is possivel restrict certain words in password
of
>>>> users
>>>> ? To dont permissionded user for exemple set "XXXX"
in your
>>>> password,
>>>> with "XXX1" or "XXX@" or
"123XXX"...
>>> See 'check password script'.  Some have set this up to
check against
>>> the master list of known public passwords from haveibeenpwned for
>>> example.  Be aware that this overrides the other complexity checks
(to
>>> allow you to do that, if you need, eg to allow a passphrase).
>>>
>>> Andrew Bartlett
> Carlos,
>
> See this recent conversation:
> https://lists.samba.org/archive/samba/2022-April/240363.html
>
> However, there was some doubt as to whether or not it always works. I
> haven't had time to troubleshoot this.
>
> Jonathon

Note that the script will only operate on the AD DC for accounts that
are required to have password complexity.  If those AD accounts are not
under such a domain-wide or fine-grained password policy it won't
apply.

The script is tested, so I think this is a configuration issue, so
please continue to investigate.  We will also accept improvements to
the documentation and wiki.

Andrew Bartlett

On Tue, 2022-05-24 at 19:20 -0300, Carlos via samba
wrote:
> HI
> 
> -Thank you for the informations.
> 
> 
>  From what I've seen the script doesn't run when the password is
changed
> by "Windows", which is a problem.
> 
> My idea would be just a custom blacklist of words that could not contain 
> in the password....[
> 
> Regards;
> 
> Em 19/05/2022 19:33, Jonathon Reinhart escreveu:
> > On Thu, May 19, 2022 at 7:59 AM Carlos Alberto Panozzo Cunha via samba
> > <samba at lists.samba.org> wrote:
> > > Hi!
> > > 
> > > Sorry, I couldn't understand what you meant, could you
explain again? :-D
> > > 
> > > Regards;
> > > 
> > > 
> > > Em ter., 17 de mai. de 2022 ?s 18:12, Andrew Bartlett
<abartlet at samba.org>
> > > escreveu:
> > > 
> > > > On Tue, 2022-05-17 at 16:25 -0300, Carlos via samba wrote:
> > > > > Hi. I wonder, if is possivel restrict certain words in
password of
> > > > > users
> > > > > ? To dont permissionded user for exemple set
"XXXX" in your
> > > > > password,
> > > > > with "XXX1" or "XXX@" or
"123XXX"...
> > > > See 'check password script'.  Some have set this up
to check against
> > > > the master list of known public passwords from
haveibeenpwned for
> > > > example.  Be aware that this overrides the other complexity
checks (to
> > > > allow you to do that, if you need, eg to allow a
passphrase).
> > > > 
> > > > Andrew Bartlett
> > Carlos,
> > 
> > See this recent conversation:
> > https://lists.samba.org/archive/samba/2022-April/240363.html
> > 
> > However, there was some doubt as to whether or not it always works. I
> > haven't had time to troubleshoot this.
> > 
> > Jonathon
> 
-- 
Andrew Bartlett (he/him)        https://samba.org/~abartlet/
Samba Team Member (since 2001)  https://samba.org
Samba Developer, Catalyst IT    https://catalyst.net.nz/services/samba