Bug 4817 - 'Password complexity' failures when adding computer with MMC ADUC
'Password complexity' failures when adding computer with MMC ADUC
Status: RESOLVED FIXED
Product: Samba 4.0
Classification: Unclassified
Component: Other
unspecified
All All
: P3 normal
: ---
Assigned To: Andrew Bartlett
Andrew Bartlett
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2007-07-25 11:49 UTC by Matthias Dieter Wallnöfer
Modified: 2007-08-22 02:37 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Dieter Wallnöfer 2007-07-25 11:49:49 UTC
Currently, when I add a user account to SAMBA, there is the password complexity required. Unfortunately, there happens the same thing when adding a computer account in ADUC (where you can't set a password).
On a Windows Server there is the possibility, to control this behavior with the group policies. But on SAMBA this doesn't seem to work yet.
Maybe there should be deactivated that control until the program supports it in the right way.
Comment 1 Andrew Bartlett 2007-07-30 05:46:41 UTC
I've reproduced this.  I need to figure out what's going on here...
Comment 2 Andrew Bartlett 2007-08-07 21:42:15 UTC
The issue was that MMC ADUC sets a 14 (UCS2) character, made up of random bytes.  This natually doesn't include very many (almost never any) ASCII uppercase/lowercase characters, so it failed the complexity test.

I've fixed the test with -r 24273, so that on any reasonable 'random' buffer, we will accept the password. 
Comment 3 Matthias Dieter Wallnöfer 2007-08-17 10:17:15 UTC
The bug is reproducible when you add a computer object with ADUC and check "Allow pre-Windows 2000 computers to use this account".
Comment 4 Andrew Bartlett 2007-08-17 19:10:09 UTC
Ah, that would be setting the account password to machine$...

Hmm...
Comment 5 Andrew Bartlett 2007-08-21 23:30:00 UTC
-r 24611 should fix this.  It turns out that machine account passwords are not password quality checked at all.

Thankyou very much for chasing this up!
Comment 6 Matthias Dieter Wallnöfer 2007-08-22 02:37:37 UTC
Retested today, it works. So we can now also create empty computer accounts for older NT workstations (I think 3.1 / 3.51 / 4.0 maybe also OS/2).