Password Policies

Support
, , ,
#1

NethServer Version: 7.9.2009 (final)
Module: AD-DC

Hey guys

I have a problem with the password policy.
I set the passwords to be strong and every 90 days they expire.

image

I noticed that when passwords expire I can create a ‘weak’ password.

For example
My current password is W3ll1ngt0n@21
The password expired and I changed it to Wellington21. The system accepted. This is not a strong password.

Is there any way the system can accept passwords with special characters?

1 Like
#2

Where did you change the password? Via OS or user settings page…?

#3

Sorry, I forgot to mention that.
it’s via OS Windows, Usually in CTRL+ALT+DEL

1 Like
#4

Integration between Samba DC and Windows is not that close…

#5

So there’s nothing to do?
Neither via command line?

#6

What’s the output of:

1 Like
#7

I could reproduce the issue, it seems samba does not force special chars even if complexity is enabled :unamused:
It seems to force a capital letter and digits but I couldn’t find documentation about samba password complexity.

There’s a possibility to use a password script to check the password, see smb.conf manpage

I found an old example script but I didn’t test.

Another way is using the user settings page instead the OS for password changes.

2 Likes
#8

Password complexity: on
Store plaintext passwords: off
Password history length: 24
Minimum password length: 7
Minimum password age (days): 0
Maximum password age (days): 90
Account lockout duration (mins): 30
Account lockout threshold (attempts): 0
Reset account lockout after (mins): 30

#9

Thanks for the help but it didn’t work.

Infeasible this option. Here are more than 200 users. Imagine having to come here and change the password when it expires :joy:

I will try

1 Like
#10

The user settings page could be public so users can change their passwords from outside even by mobile.

#11

This option?
image
Does not work
image
I believe that this option is not viable for us. Maybe I’ll just use it if I don’t have any more options.

#12

Yes, this option. Hm, here it works. If you want to use it we could try to solve it but I think you should go for the script. If I find time I’m going to play with it…

1 Like
#13

I’m not a Windows expert :roll_eyes:

As alternative, is it possible to configure the windows clients with a GPO (group policy) to reflect the domain password requirements?

1 Like
#15

I can check if it can be done.

1 Like
#16

didn’t work :expressionless:

#17

The password complexity doesn’t really force a special char, I’m going to test the script option…

From MS docs:

The password contains characters from three of the following categories:

  • Uppercase letters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters)
  • Lowercase letters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters)
  • Base 10 digits (0 through 9)
  • Non-alphanumeric characters (special characters): (~!@#$%^&*_-+=`|(){}[]:;"’<>,.?/) Currency symbols such as the Euro or British Pound aren’t counted as special characters for this policy setting.
  • Any Unicode character that’s categorized as an alphabetic character but isn’t uppercase or lowercase. This group includes Unicode characters from Asian languages.
1 Like
#18

:warning: RPM with fix released! Read also here: Password Policies - #26 by davidep

I got a working script. I just adapted the example script to work. I’m not a perl expert so please check the script and ping me if there’s something to improve.

Put the script checkpassword.pl to /var/lib/machines/nsdc/usr/local/sbin/ and set execute permission:

chmod +x /var/lib/machines/nsdc/usr/local/sbin/checkpassword.pl

Edit /var/lib/machines/nsdc/etc/samba/smb.conf and add

check password script = /usr/local/sbin/checkpassword.pl

to the global section.

Restart samba:

systemctl -M nsdc restart samba

Now a special character should be needed in the password.

To test the script:

[root@server2 ~]# echo Weakpassword1 | /var/lib/machines/nsdc/usr/local/sbin/checkpassword.pl 
not enough special characters, minimum 1 and got 0

There are some other interesting scripts like the samba example using cracklib or a python script using haveibeenpwnd.

3 Likes
#19

Thanks man, you’re amazing :grinning_face_with_smiling_eyes:
It’s work!

I suppose it’s -M, right? -N shows up as invalid option.

Thanks for the tips too :grinning:

1 Like
#20

You’re welcome.

Yes, thanks, I corrected it.

1 Like
#21

May i suggest to… copy these instruction and the script to NethServer documentation?

2 Likes