Password Policies

Support
, , ,
10

The user settings page could be public so users can change their passwords from outside even by mobile.

11

This option?
image
Does not work
image
I believe that this option is not viable for us. Maybe I’ll just use it if I don’t have any more options.

12

Yes, this option. Hm, here it works. If you want to use it we could try to solve it but I think you should go for the script. If I find time I’m going to play with it…

1 Like
13

I’m not a Windows expert :roll_eyes:

As alternative, is it possible to configure the windows clients with a GPO (group policy) to reflect the domain password requirements?

1 Like
15

I can check if it can be done.

1 Like
16

didn’t work :expressionless:

17

The password complexity doesn’t really force a special char, I’m going to test the script option…

From MS docs:

The password contains characters from three of the following categories:

  • Uppercase letters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters)
  • Lowercase letters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters)
  • Base 10 digits (0 through 9)
  • Non-alphanumeric characters (special characters): (~!@#$%^&*_-+=`|(){}:;"'<>,.?/) Currency symbols such as the Euro or British Pound aren’t counted as special characters for this policy setting.
  • Any Unicode character that’s categorized as an alphabetic character but isn’t uppercase or lowercase. This group includes Unicode characters from Asian languages.
1 Like
18

:warning: RPM with fix released! Read also here: Password Policies - #26 by davidep

I got a working script. I just adapted the example script to work. I’m not a perl expert so please check the script and ping me if there’s something to improve.

Put the script checkpassword.pl to /var/lib/machines/nsdc/usr/local/sbin/ and set execute permission:

chmod +x /var/lib/machines/nsdc/usr/local/sbin/checkpassword.pl

Edit /var/lib/machines/nsdc/etc/samba/smb.conf and add

check password script = /usr/local/sbin/checkpassword.pl

to the global section.

Restart samba:

systemctl -M nsdc restart samba

Now a special character should be needed in the password.

To test the script:

[root@server2 ~]# echo Weakpassword1 | /var/lib/machines/nsdc/usr/local/sbin/checkpassword.pl 
not enough special characters, minimum 1 and got 0

There are some other interesting scripts like the samba example using cracklib or a python script using haveibeenpwnd.

3 Likes
19

Thanks man, you’re amazing :grinning_face_with_smiling_eyes:
It’s work!

I suppose it’s -M, right? -N shows up as invalid option.

Thanks for the tips too :grinning:

1 Like
20

You’re welcome.

Yes, thanks, I corrected it.

1 Like
21

May i suggest to… copy these instruction and the script to NethServer documentation?

2 Likes
22

Not the docs, I’d rather file a bug or a nfr!

If the script runs only during the password change, we could even add it to every installation, like a bug fix.

That might sound risky. As alternative we can limit the fix impact to new installations only, and document how to apply it manually to existing installations.

What is your favorite approach?

3 Likes
23

That is what I’m asking for

dev team choice, man :wink:

2 Likes
24

I prefer this approach to not change a password policy users are used to by update.

I’m going to file a bug and open a PR…

3 Likes
25

Thank you for the PR MrMarkuz! :heart:

2 Likes
26

Bugfix (partial) released! Thank you again @mrmarkuz

4 Likes
27

May I say… “OUCH” ?
After a small nano tour I applied the document edit but the size of the bug is… Not that small, to say the least.
So update should be flawless. fully automated and less-sysadmin-error-prone, IMVHO…

28

I read again the above discussion.

The decision was to avoid the automatic update, and you were asking for a documented procedure.

…Or am I missing something??

29

I asked documentation AFTER a “non debatable decision” for avoid the automatic update.
Seemed necessary to me…

I mean…
Development direction is quite difficult to change, when taken. Therefore, I avoided to start “lobbing” for the full automatic procedure.

30

I’m afraid that’s not easily possible in this case.
There are admins (like me) that are used to the “bug”, using the default Windows password policy for their Windows clients users. If we fully automate the update, users suddenly need to enter a special char at next password change without getting an information to do so. Horrible support scenario…

The manual update procedure are 3 steps, I think it’s not that error-prone.

I think it’s a good compromise to have the password script ready in any case but don’t change existing installations. For new installations the script is applied automatically so they never see the bug, old installations are unchanged to avoid password change problems but a manual procedure is available to fix the bug.
If we just wrote it to the docs, all admins would have to apply the fix manually and we have no automatism at all.
I don’t see a better solution to cover all these cases.

5 Likes