Password config available?

SpiceDenver · July 29, 2020, 2:34pm

NethServer Version: 7.8.2003
Module: base

Is there a conf file or way to adjust the password requirements on the tool? We don’t need the ‘similar’ password requirement.

danb35 · July 29, 2020, 2:44pm

I’m not aware of a “similar” requirement. There is an “equal” requirement, that you enter the same password twice to make sure you typed it correctly–is that what you’re referring to?

The only adjustment I’m aware of is to have the password policy strong or weak.

SpiceDenver · July 29, 2020, 2:47pm

The tools checks against your AD password history and, while we’re good with disallowing password reuse, the tool here won’t let you use something that’s similar. Ex: CorrectBatteryHorseStaple5% is too similar to CorrectBatteryHorseStaple5$, though our AD rule would allow that.

mrmarkuz · July 29, 2020, 3:13pm

When “Require strong passwords” is enabled and Active Directory is used, the password history is set to the default of 24.

If Samba Active Directory is installed, also the system will enable password history
(Source)

If you like strong passwords without password history:

nsdc-run -- samba-tool domain passwordsettings set --history-length=0

Check settings:

nsdc-run -- samba-tool domain passwordsettings show

Source:

https://wiki.samba.org/index.php/Password_Settings_Objects

SpiceDenver · July 30, 2020, 3:01pm

[09:45 root@SERVER ~] > nsdc-run -- samba-tool domain passwordsettings show
-bash: nsdc-run: command not found

Is there another suggestion? Find also didn’t find the command, or the samba-tool command.

mrmarkuz · July 30, 2020, 3:45pm

Strange, do you use local AD account provider?

nsdc-run runs commands in the samba container.

SpiceDenver · July 30, 2020, 3:56pm

Nope.

mrmarkuz · July 30, 2020, 4:24pm

I saw you used remote AD over a Win 2016 Server, is it still this configuration?
I guess the password policy in this case is managed by the Windows Server, I did not find history handling in the user settings code.

SpiceDenver · July 30, 2020, 4:27pm

Yes, this is the same server. I determined that there was a config problem with dnsmasq and once I corrected that, the problem with logging in and changing passwords was eliminated, but now there is te issue of similarities to old passwords. That’s not in our AD GPOs and there’s no password object defined via dsac.

mrmarkuz · July 30, 2020, 4:29pm

I think I still got the test VMs, I am going to try to reproduce it…I’ll report when I find something.

EDIT:

The only workaround I found is to comment out the password quality check in /usr/libexec/nethserver/api/system-password/check-pwquality.from line 55 to 61.

new = lines[1]

# execute pwquality checkes
#try:
#    pw_quality = pwquality.PWQSettings()
#    pw_quality.read_config()
#    pw_quality.check(new, old, None)
#except pwquality.PWQError as (e, msg):
#    print(msg)
#    sys.exit(1)

sys.exit(0)

SpiceDenver · July 31, 2020, 1:40pm

What quality is left at this point, or will it match to the AD? If it matches to AD, does that AD need the object defined in DSAC?

mrmarkuz · July 31, 2020, 3:02pm

Yes, it should match to AD. You do not need extra objects in AD.

SpiceDenver · July 31, 2020, 6:24pm

Thanks, @mrmarkuz!