Univention Bugzilla – Bug 46557
Samba password history of 1 allows setting previous password
Last modified: 2021-05-03 21:35:53 CEST
Created attachment 9455 [details] 1.sh Samba password history of 1 allows setting previous password. See example reproducer script: root@master10:~# ./1.sh test1 1 Setting password history length to 1 Password history length changed! All changes applied successfully! Creating user test1 with password Univention.0 User 'test1' created successfully Changing password to Univention.1 Changed password OK Changing password to Univention.2 Changed password OK Changing password back to Univention.1 Changed password OK You have to set the password history length to 2 to stop the user from re-using the password before the current one: root@master10:~# ./1.sh test2 2 Setting password history length to 2 Password history length changed! All changes applied successfully! Creating user test2 with password Univention.0 User 'test2' created successfully Changing password to Univention.1 Changed password OK Changing password to Univention.2 Changed password OK Changing password back to Univention.1 ERROR: Failed to change password : (-1073741716, "samr_ChangePasswordUser3 for 'AR41I1\\test2' failed: NT_STATUS_PASSWORD_RESTRICTION") Checked with UCS 4.1-4 up to UCS 4.3-0 Samba 2:4.5.1-1.851.201701050832 up to 2:4.7.5-1A~4.3.0.201802131427 So, if it actually is a regression then it must have happened earlier. If this is normal AD behavior then we should point it out in the UCS documentation.