First Last Prev Next    This bug is not in your last search results.
Bug 52053 - Samba password complexity check allows username in password
Samba password complexity check allows username in password
Status: NEW
Product: UCS
Classification: Unclassified
Component: Samba4
UCS 4.4
Other Linux
: P5 normal (vote)
: ---
Assigned To: Samba maintainers
Samba maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-09-17 19:53 CEST by Arvid Requate
Modified: 2023-07-24 14:06 CEST (History)
5 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?: 3: Will affect average number of installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.103
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2021062121000157, 2023071421000361
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2020-09-17 19:53:18 CEST 
The password complexity check in Samba (4.10) doesn't complain if a new password contains the username and I guess the same holds for the parts of the displayName. The standard Microsoft password complexity criteria state that this should prevented:

https://docs.microsoft.com/de-de/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements


Note: In univention.password.Check() I implemented this additional check separately in Python (Bug #51994), but that's not called when changing the password via Samba.
Comment 1 Christina Scheinig univentionstaff 2021-06-24 16:16:27 CEST 
A customer would like to enforce password policy complexity in his environment.

If a user is changing his/her password the user should be able to change their password but they should not include their username (and Domain name). This is the customers requirement, but unfortunately it is not working
First Last Prev Next    This bug is not in your last search results.