The function check_password_quality in lib/util/genrand.c does not properly handle non-ASCII characters: root@samba4:~# samba-tool user setpassword user1 --newpassword='Ütf8pass' ERROR: Failed to set password for user 'user1': (19, '0000052D: Constraint violation - check_password_restrictions: the password does not meet the complexity criteria!' root@samba4:~# samba-tool user setpassword user1 --newpassword='üTf8pass' Changed password OK root@samba4:~# samba-tool user setpassword user1 --newpassword='ÜÜÜ8p' Changed password OK This also affects password changes initiated on Windows clients.
Created attachment 7798 [details] This patch seems to fix the bug.
I tried to autobuild this, but it fails this test. We either need to fix the test or the code (perhaps compare with MS). UNEXPECTED(failure): samba4.local.genrand.check_password_quality(none) REASON: _StringException: _StringException: ../lib/util/tests/genrand.c:44: Expression `check_password_quality("abcdééàçè")' failed: valid FAILED (1 failures, 0 errors and 0 unexpected successes in 0 testsuites)
Created attachment 7804 [details] Make password complexity rule closer to AD default The standard AD complexity rules differ a bit, and require checking for chracters from the username, which probably would require a change in the function arguments, requiring changes e.g. in the semantic of generate_random_password generate_random_string.
Created attachment 7805 [details] Adjusted test cases for password complexity The test case "abcdééàçè" used to work, because every two-byte charcater counted as two "high" characters (non-uppercase/-lowercase/-digit/-special) and check_password_quality permitted a password if number("high" characters)>number(total)/2 which IMHO does not seem to be a useful criterion. The previous commit adjusted the rule, this one adjusts the test cases.
2k8+R2: http://technet.microsoft.com/en-us/library/hh994562%28v=ws.10%29.aspx 2k3: http://technet.microsoft.com/en-us/library/cc786468%28v=ws.10%29.aspx
*** Bug 9631 has been marked as a duplicate of this bug. ***
Created attachment 8530 [details] Patches for v4-0-test
==> Karolin for 4.0.X
Pushed to autobuild-v4-0-test.
Pushed to v4-0-test. Included in 4.0.3. Closing out bug report. Thanks!