Password Policies

Wellington_Rodrigues · December 14, 2021, 2:00pm

NethServer Version: 7.9.2009 (final)
Module: AD-DC

Hey guys

I have a problem with the password policy.
I set the passwords to be strong and every 90 days they expire.

I noticed that when passwords expire I can create a ‘weak’ password.

For example
My current password is W3ll1ngt0n@21
The password expired and I changed it to Wellington21. The system accepted. This is not a strong password.

Is there any way the system can accept passwords with special characters?

mrmarkuz · December 14, 2021, 11:15pm

Where did you change the password? Via OS or user settings page…?

Wellington_Rodrigues · December 15, 2021, 11:54am

Sorry, I forgot to mention that.
it’s via OS Windows, Usually in CTRL+ALT+DEL

pike · December 15, 2021, 9:08pm

Integration between Samba DC and Windows is not that close…

Wellington_Rodrigues · December 15, 2021, 9:37pm

So there’s nothing to do?
Neither via command line?

dnutan · December 15, 2021, 9:49pm

What’s the output of:

mrmarkuz · December 15, 2021, 10:03pm

I could reproduce the issue, it seems samba does not force special chars even if complexity is enabled
It seems to force a capital letter and digits but I couldn’t find documentation about samba password complexity.

There’s a possibility to use a password script to check the password, see smb.conf manpage

I found an old example script but I didn’t test.

Another way is using the user settings page instead the OS for password changes.

Wellington_Rodrigues · December 16, 2021, 7:19pm

Password complexity: on
Store plaintext passwords: off
Password history length: 24
Minimum password length: 7
Minimum password age (days): 0
Maximum password age (days): 90
Account lockout duration (mins): 30
Account lockout threshold (attempts): 0
Reset account lockout after (mins): 30

Wellington_Rodrigues · December 16, 2021, 7:24pm

Thanks for the help but it didn’t work.

Infeasible this option. Here are more than 200 users. Imagine having to come here and change the password when it expires

I will try

mrmarkuz · December 16, 2021, 7:33pm

The user settings page could be public so users can change their passwords from outside even by mobile.

Wellington_Rodrigues · December 16, 2021, 7:55pm

This option?

Does not work

I believe that this option is not viable for us. Maybe I’ll just use it if I don’t have any more options.

mrmarkuz · December 16, 2021, 8:06pm

Yes, this option. Hm, here it works. If you want to use it we could try to solve it but I think you should go for the script. If I find time I’m going to play with it…

davidep · December 16, 2021, 10:35pm

I’m not a Windows expert

As alternative, is it possible to configure the windows clients with a GPO (group policy) to reflect the domain password requirements?

Wellington_Rodrigues · December 16, 2021, 11:20pm

I can check if it can be done.

Wellington_Rodrigues · December 17, 2021, 12:57pm

didn’t work

mrmarkuz · December 17, 2021, 6:35pm

The password complexity doesn’t really force a special char, I’m going to test the script option…

From MS docs:

The password contains characters from three of the following categories:

Uppercase letters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters)

Lowercase letters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters)

Base 10 digits (0 through 9)

Non-alphanumeric characters (special characters): (~!@#$%^&*_-+=`|(){}:;"'<>,.?/) Currency symbols such as the Euro or British Pound aren’t counted as special characters for this policy setting.

Any Unicode character that’s categorized as an alphabetic character but isn’t uppercase or lowercase. This group includes Unicode characters from Asian languages.

mrmarkuz · December 17, 2021, 9:09pm

RPM with fix released! Read also here: Password Policies - #26 by davidep

I got a working script. I just adapted the example script to work. I’m not a perl expert so please check the script and ping me if there’s something to improve.

Put the script checkpassword.pl to /var/lib/machines/nsdc/usr/local/sbin/ and set execute permission:

chmod +x /var/lib/machines/nsdc/usr/local/sbin/checkpassword.pl

Edit /var/lib/machines/nsdc/etc/samba/smb.conf and add

check password script = /usr/local/sbin/checkpassword.pl

to the global section.

Restart samba:

systemctl -M nsdc restart samba

Now a special character should be needed in the password.

To test the script:

[root@server2 ~]# echo Weakpassword1 | /var/lib/machines/nsdc/usr/local/sbin/checkpassword.pl 
not enough special characters, minimum 1 and got 0

There are some other interesting scripts like the samba example using cracklib or a python script using haveibeenpwnd.

Wellington_Rodrigues · December 20, 2021, 5:51pm

Thanks man, you’re amazing
It’s work!

I suppose it’s -M, right? -N shows up as invalid option.

Thanks for the tips too

mrmarkuz · December 20, 2021, 6:00pm

You’re welcome.

Yes, thanks, I corrected it.

pike · December 20, 2021, 7:26pm

May i suggest to… copy these instruction and the script to NethServer documentation?