Password Policies

davidep · December 20, 2021, 11:17pm

Not the docs, I’d rather file a bug or a nfr!

If the script runs only during the password change, we could even add it to every installation, like a bug fix.

That might sound risky. As alternative we can limit the fix impact to new installations only, and document how to apply it manually to existing installations.

What is your favorite approach?

pike · December 21, 2021, 7:00am

That is what I’m asking for

dev team choice, man

mrmarkuz · December 21, 2021, 8:31am

I prefer this approach to not change a password policy users are used to by update.

I’m going to file a bug and open a PR…

davidep · January 10, 2022, 5:24pm

Thank you for the PR MrMarkuz!

davidep · January 28, 2022, 9:36am

Bugfix (partial) released! Thank you again @mrmarkuz

The bug is fixed for new installations
The smb.conf must be changed manually to apply the fix to existing installations: follow the procedure documented at nethserver-dc — NethServer 7 documentation

github.com/NethServer/dev

Password policy is not respected on samba AD clients

opened 09:48PM - 21 Dec 21 UTC

closed 09:27AM - 28 Jan 22 UTC

mrmarkuz

bug verified

Samba AD uses Windows password policy for clients instead of using the strong pa…ssword policy defined in NethServer. A check password script can be defined in `smb.conf` by using the `check password script` option. This [script](https://gist.github.com/mrmarkuz/9b05e0bb10e74a6e101940ffb5066a71) forces the NethServer password policy on Samba clients. **Steps to reproduce** - Create AD User in server manager using strong password policy - Change the password from a Samba client to a weak password for example without special char **Expected behavior** The password is not accepted. **Actual behavior** The password is accepted. **Components** nethserver-dc-1.8.2-1 **See also** https://community.nethserver.org/t/password-policies/19476/18?u=mrmarkuz ---- Thanks to Wellington Rodrigues for raising the issue.

pike · January 28, 2022, 3:49pm

May I say… “OUCH” ?
After a small nano tour I applied the document edit but the size of the bug is… Not that small, to say the least.
So update should be flawless. fully automated and less-sysadmin-error-prone, IMVHO…

davidep · January 28, 2022, 6:06pm

I read again the above discussion.

The decision was to avoid the automatic update, and you were asking for a documented procedure.

…Or am I missing something??

pike · January 28, 2022, 6:09pm

I asked documentation AFTER a “non debatable decision” for avoid the automatic update.
Seemed necessary to me…

I mean…
Development direction is quite difficult to change, when taken. Therefore, I avoided to start “lobbing” for the full automatic procedure.

mrmarkuz · January 28, 2022, 10:15pm

I’m afraid that’s not easily possible in this case.
There are admins (like me) that are used to the “bug”, using the default Windows password policy for their Windows clients users. If we fully automate the update, users suddenly need to enter a special char at next password change without getting an information to do so. Horrible support scenario…

The manual update procedure are 3 steps, I think it’s not that error-prone.

I think it’s a good compromise to have the password script ready in any case but don’t change existing installations. For new installations the script is applied automatically so they never see the bug, old installations are unchanged to avoid password change problems but a manual procedure is available to fix the bug.
If we just wrote it to the docs, all admins would have to apply the fix manually and we have no automatism at all.
I don’t see a better solution to cover all these cases.