Bug 46557 - Samba password history of 1 allows setting previous password
Samba password history of 1 allows setting previous password
Status: NEW
Product: UCS
Classification: Unclassified
Component: Samba4
UCS 5.0
Other Linux
: P5 normal (vote)
: ---
Assigned To: Samba maintainers
Samba maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-03-08 18:11 CET by Arvid Requate
Modified: 2021-05-03 21:35 CEST (History)
1 user (show)

See Also:
What kind of report is it?: Development Internal
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments
1.sh (1.34 KB, application/x-shellscript)
2018-03-08 18:11 CET, Arvid Requate
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2018-03-08 18:11:23 CET
Created attachment 9455 [details]
1.sh

Samba password history of 1 allows setting previous password. See example reproducer script:

root@master10:~# ./1.sh test1 1
Setting password history length to 1
Password history length changed!
All changes applied successfully!
Creating user test1 with password Univention.0
User 'test1' created successfully
Changing password to Univention.1
Changed password OK
Changing password to Univention.2
Changed password OK
Changing password back to Univention.1
Changed password OK

You have to set the password history length to 2 to stop the user from re-using the password before the current one:

root@master10:~# ./1.sh test2 2
Setting password history length to 2
Password history length changed!
All changes applied successfully!
Creating user test2 with password Univention.0
User 'test2' created successfully
Changing password to Univention.1
Changed password OK
Changing password to Univention.2
Changed password OK
Changing password back to Univention.1
ERROR: Failed to change password : (-1073741716, "samr_ChangePasswordUser3 for 'AR41I1\\test2' failed: NT_STATUS_PASSWORD_RESTRICTION")


Checked with UCS 4.1-4 up to UCS 4.3-0
Samba 2:4.5.1-1.851.201701050832  up to  2:4.7.5-1A~4.3.0.201802131427
So, if it actually is a regression then it must have happened earlier.

If this is normal AD behavior then we should point it out in the UCS documentation.