Web lists-archives.com

[Samba] Combining "--complexity=off" and "check password script"

I would like to understand how the "check password script" interacts with enabling/disabling password complexity checks.

That is: if I configure

    check password script = /usr/local/samba/sbin/crackcheck -d /var/cache/cracklib/cracklib_dict

is this called *in addition* to the default complexity checking, or instead of it? And if I set

    samba-tool domain passwordsettings set --complexity=off

with a check password script configured, does this setting disable the check password script as well, or just the built-in complexity checking?

What I am actually trying to achieve is:

- DISABLE the requirement for complex character sets in passwords, but
- ENABLE a dictionary check

following the NCSC password guidance: https://www.ncsc.gov.uk/guidance/password-guidance-simplifying-your-approach

But looking at the samba4 source, I suspect that setting complexity=off disables both checks. Is that correct?



To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba