NethServer Version: 7.9.2009 (final)
Module: AD-DC
Hey guys
I have a problem with the password policy.
I set the passwords to be strong and every 90 days they expire.
I noticed that when passwords expire I can create a ‘weak’ password.
For example
My current password is W3ll1ngt0n@21
The password expired and I changed it to Wellington21. The system accepted. This is not a strong password.
Is there any way the system can accept passwords with special characters?
Where did you change the password? Via OS or user settings page…?
Sorry, I forgot to mention that.
it’s via OS Windows, Usually in CTRL+ALT+DEL
Integration between Samba DC and Windows is not that close…
So there’s nothing to do?
Neither via command line?
What’s the output of:
I could reproduce the issue, it seems samba does not force special chars even if complexity is enabled 
It seems to force a capital letter and digits but I couldn’t find documentation about samba password complexity.
There’s a possibility to use a password script to check the password, see smb.conf manpage
I found an old example script but I didn’t test.
Another way is using the user settings page instead the OS for password changes.
Password complexity: on
Store plaintext passwords: off
Password history length: 24
Minimum password length: 7
Minimum password age (days): 0
Maximum password age (days): 90
Account lockout duration (mins): 30
Account lockout threshold (attempts): 0
Reset account lockout after (mins): 30
Thanks for the help but it didn’t work.
Infeasible this option. Here are more than 200 users. Imagine having to come here and change the password when it expires 
I will try
The user settings page could be public so users can change their passwords from outside even by mobile.
This option?
Does not work
I believe that this option is not viable for us. Maybe I’ll just use it if I don’t have any more options.
Yes, this option. Hm, here it works. If you want to use it we could try to solve it but I think you should go for the script. If I find time I’m going to play with it…
I’m not a Windows expert 
As alternative, is it possible to configure the windows clients with a GPO (group policy) to reflect the domain password requirements?
I can check if it can be done.
didn’t work 
The password complexity doesn’t really force a special char, I’m going to test the script option…
From MS docs:
The password contains characters from three of the following categories:
- Uppercase letters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters)
- Lowercase letters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters)
- Base 10 digits (0 through 9)
- Non-alphanumeric characters (special characters): (~!@#$%^&*_-+=`|(){}[]:;"’<>,.?/) Currency symbols such as the Euro or British Pound aren’t counted as special characters for this policy setting.
- Any Unicode character that’s categorized as an alphabetic character but isn’t uppercase or lowercase. This group includes Unicode characters from Asian languages.
I got a working script. I just adapted the example script to work. I’m not a perl expert so please check the script and ping me if there’s something to improve.
Put the script checkpassword.pl to /var/lib/machines/nsdc/usr/local/sbin/ and set execute permission:
chmod +x /var/lib/machines/nsdc/usr/local/sbin/checkpassword.pl
Edit /var/lib/machines/nsdc/etc/samba/smb.conf and add
check password script = /usr/local/sbin/checkpassword.pl
to the global section.
Restart samba:
systemctl -M nsdc restart samba
Now a special character should be needed in the password.
To test the script:
[root@server2 ~]# echo Weakpassword1 | /var/lib/machines/nsdc/usr/local/sbin/checkpassword.pl
not enough special characters, minimum 1 and got 0
There are some other interesting scripts like the samba example using cracklib or a python script using haveibeenpwnd.
Thanks man, you’re amazing 
It’s work!
I suppose it’s -M, right? -N shows up as invalid option.
Thanks for the tips too 
You’re welcome.
Yes, thanks, I corrected it.
May i suggest to… copy these instruction and the script to NethServer documentation?