The Samba-Bugzilla – Bug 9105
check_password_quality does not properly handle non-ASCII characters
Last modified: 2013-02-05 13:26:52 UTC
The function check_password_quality in lib/util/genrand.c does not properly handle non-ASCII characters:
root@samba4:~# samba-tool user setpassword user1 --newpassword='Ütf8pass'
ERROR: Failed to set password for user 'user1': (19, '0000052D: Constraint violation - check_password_restrictions: the password does not meet the complexity criteria!'
root@samba4:~# samba-tool user setpassword user1 --newpassword='üTf8pass'
Changed password OK
root@samba4:~# samba-tool user setpassword user1 --newpassword='ÜÜÜ8p'
Changed password OK
This also affects password changes initiated on Windows clients.
Created attachment 7798 [details]
This patch seems to fix the bug.
I tried to autobuild this, but it fails this test. We either need to fix the test or the code (perhaps compare with MS).
REASON: _StringException: _StringException: ../lib/util/tests/genrand.c:44: Expression `check_password_quality("abcdééàçè")' failed: valid
FAILED (1 failures, 0 errors and 0 unexpected successes in 0 testsuites)
Created attachment 7804 [details]
Make password complexity rule closer to AD default
The standard AD complexity rules differ a bit, and require checking for chracters from the username, which probably would require a change in the function arguments, requiring changes e.g. in the semantic of generate_random_password generate_random_string.
Created attachment 7805 [details]
Adjusted test cases for password complexity
The test case "abcdééàçè" used to work, because every two-byte charcater counted as two "high" characters (non-uppercase/-lowercase/-digit/-special) and check_password_quality permitted a password if
which IMHO does not seem to be a useful criterion. The previous commit adjusted the rule, this one adjusts the test cases.
*** Bug 9631 has been marked as a duplicate of this bug. ***
Created attachment 8530 [details]
Patches for v4-0-test
==> Karolin for 4.0.X
Pushed to autobuild-v4-0-test.
Pushed to v4-0-test.
Included in 4.0.3.
Closing out bug report.