Password Policy

activedirectory
project-card

(Wayne Bilger) #1

I’m just testing using NS as my main ADDC, and getting rid of Zentyal.
Is there a way to edit the password policy at all?
I’ve searched, and can’t find any information, and having just strong and off is pretty limiting. And not being able to set your own policy is pretty limiting too, besides not allowing of changing own passwords and manually enforcing.
Also, I’ve seen this asked before, but just asking again in case anything can be done, but I need to ignore password policy for a couple of users. Is this possible? I know the security risks, but these are users of that have access to one specific folder, and a simple password is all that is needed.


(Davide Principi) #2

Could you provide a link to that topic?

I’m afraid this is still not possible with Samba 4.8: the password policy affects every domain account. However things will change as soon as we upgrade to 4.9 because “Password Settings Objects” are implemented!

However, pay attention to performance hit of PSOs.

More information:

Card added:
https://github.com/orgs/NethServer/projects/1#card-18717279


(Wayne Bilger) #3


It was referring to the 2nd question, which you kind of answered. I can live without disabling password check until 4.9 comes out, and then will investigate whether performance hit is worth it.

My more pressing question is the first one, is there an ability to change the “Strong” password policy?


(Davide Principi) #4

This is what samba-tool allows us to do:

[root@vm5 ~]# nsdc-run -- samba-tool domain passwordsettings show
Password informations for domain 'DC=ad,DC=dpnet,DC=nethesis,DC=it'

Password complexity: on
Store plaintext passwords: off
Password history length: 24
Minimum password length: 7
Minimum password age (days): 0
Maximum password age (days): 0
Account lockout duration (mins): 30
Account lockout threshold (attempts): 0
Reset account lockout after (mins): 30

I think “password complexity” can be switched on or off. There are no fine-grained settings for it.


(Wayne Bilger) #5

Darn, that really is too bad, is that a Samba limitation, or NS?
Can Minimum password length be changed?


(Enrique D) #6

Need to ask, Is possible to hide this banner?
image


(Wayne Bilger) #7

(Davide Principi) #8

Yes it can! NethServer has two password policy options: strong or weak. None of them changes the length requirements, so if you manually change that parameter its value should be always preserved. However I cannot promise this behavior won’t change in the future!

To change that min password length:

[root@vm5 ~]# nsdc-run -- samba-tool domain passwordsettings set --min-pwd-length=3
Minimum password length changed!
All changes applied successfully!

[root@vm5 ~]# nsdc-run -- samba-tool domain passwordsettings show
Password informations for domain 'DC=ad,DC=dpnet,DC=nethesis,DC=it'

Password complexity: on
Store plaintext passwords: off
Password history length: 24
Minimum password length: 3
Minimum password age (days): 0
Maximum password age (days): 0
Account lockout duration (mins): 30
Account lockout threshold (attempts): 0
Reset account lockout after (mins): 30

(Wayne Bilger) #9

Worked perfect, thanks!


(Wayne Bilger) #10

Unfortunately this does not seem to be working anymore for me. It worked once, then not again.I"m running in a vm, so rolled back and tried again, and doesn’t work, not even a first time anymore. Tried a fresh install same thing, even if I tried before any udpates. Weird.
But, if I use the user import script, it seems to work (although it failed once, but not since).
Not ideal as I can’t manually change a password, but not the end of the world unless something simple is going on.
I have password length set to 4, and it still complains password is too short.
Tried setting it back to 7, and back to 4, nothing.
I also tried setting it to 8, and it still accepts 7.


(Michael Kicks) #11

Would you please post the output of this input?


(Wayne Bilger) #12

Is there 1 dash or 2 between nsdc-run – samba-tool?
Copying the command above results in 1 dash (nsdc-run – samba-tool)
which results in

[root@serv-data ~]# nsdc-run – samba-tool domain passwordsettings show
[ERROR] nsdc-cmd failed to communicate with server

But, the original command given by david with 2 dashes, which I assume is correct and it is just an error from cut/paste, and this command gives;

[root@serv-data ~]# nsdc-run – samba-tool domain passwordsettings show
Password informations for domain ‘DC=mydomain,DC=lan’

Password complexity: off
Store plaintext passwords: off
Password history length: 0
Minimum password length: 4
Minimum password age (days): 0
Maximum password age (days): 0
Account lockout duration (mins): 30
Account lockout threshold (attempts): 0
Reset account lockout after (mins): 30


(Michael Kicks) #13

Sorry…
nsdc-run -- samba-tool domain passwordsettings show
Should be less confusing written like that :slight_smile:
Anyway: @davidep should NSDC been rebooted after this change?


(Wayne Bilger) #14

Yes, see above.
It seems to ignore the password length, and I did reboot the server when I tried as well.


(Davide Principi) #15

Maybe some experienced windows sysadmin might help… I’m afraid win clients have their minimum password lenght requirements that only a GPO or manual local override can change.

On the server manager side, the password lenght is stored in esmith db IIRC: the domain attribute is ignored.


(Michael Kicks) #16

Therefore server manager should collect password policy settings and pass it to NSDC?


(Davide Principi) #17

It’s false

The Server Manager enforces a minimum length, always

I think because the 7 chars requirement reflects what win clients do by default. I maybe wrong but it’s a minimum requirement: it’s not allowed to be less than that, no matter if complexity is enforced too.


(Wayne Bilger) #18

I don’t think this has anything to do with the windows clients. I cannot create or edit the NS users in AD with less than 7. If I change the password length to 8, it still allows 7, so it seems to be ignoring that value. At least in my install, and I have tried a fresh install 3 or 4 times.
But, I can use the import script and add users with length=4 passwords, and then can login to windows machines with that password, so the import script seems to use the password length, and the NS admin frontend does not.


(Davide Principi) #19

As said above, Server Manager has an hardcoded rule that wants at least 7 chars. It is not bound to the account provider rules.

Please try the change password procedure of win clients. Check if they allow less than 7 chars. Report also client version.


(Wayne Bilger) #20

Yes, I can change the password from the Windows clients.
It is confusing that the server manager does not follow the password length, but maybe this is something that will be changed in the future.
I will mark this as solved again. Thanks.