[Samba] check password script for samba 4 ad dc
Krutskikh Ivan
stein.hak at gmail.com
Wed May 27 15:08:51 MDT 2015
Update:
I found out that cracklib-check does not return correct exit codes for good
and bad passwords, so I've made a quick python draft that exits with 0 on
complex password and with 1 on simple. But that didn't make any difference
to samba =(
2015-05-27 20:26 GMT+03:00 Krutskikh Ivan <stein.hak at gmail.com>:
> I would like to bump my question
>
> 2015-05-27 10:21 GMT+03:00 Krutskikh Ivan <stein.hak at gmail.com>:
>
>> Hmm, looks like it's not. I've just set the password for something that
>> cracklib-check would argue using both ad management tools and at windows
>> login. Should it work that way or I'm missing something?
>>
>> My dc's smb.conf:
>>
>> [global]
>> workgroup = KURSK
>> realm = KURSK.MTT
>> netbios name = DEBIAN-DC
>> server role = active directory domain controller
>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
>> winbindd, ntp_signd, kcc, dnsupdate
>> idmap_ldb:use rfc2307 = yes
>> check password script = /usr/sbin/cracklib-check
>> log level = 4
>>
>> [netlogon]
>> path = /usr/local/samba/var/locks/sysvol/kursk.mtt/scripts
>> read only = No
>>
>> [sysvol]
>> path = /usr/local/samba/var/locks/sysvol
>> read only = No
>>
>>
>>
>> logs log.samba for passwd change:
>>
>> [2015/05/27 10:09:07.604309, 3]
>> ../source4/rpc_server/drsuapi/dcesrv_drsuapi.c:74(dcesrv_drsuapi_DsBind)
>> ../source4/rpc_server/drsuapi/dcesrv_drsuapi.c:74: doing DsBind with
>> system_session
>> [2015/05/27 10:09:07.617789, 3]
>> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>> Kerberos: TGS-REQ Administrator at KURSK.MTT from ipv4:192.168.1.204:50304
>> for kadmin/changepw at KURSK.MTT [canonicalize, renewable, forwardable]
>> [2015/05/27 10:09:07.631380, 3]
>> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>> Kerberos: TGS-REQ authtime: 2015-05-27T10:03:06 starttime:
>> 2015-05-27T10:09:07 endtime: 2015-05-27T20:03:06 renew till:
>> 2015-06-03T10:03:06
>> [2015/05/27 10:09:07.633241, 3]
>> ../source4/smbd/service_stream.c:66(stream_terminate_connection)
>> Terminating connection - 'kdc_tcp_call_loop:
>> tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
>> [2015/05/27 10:09:07.633707, 3]
>> ../source4/smbd/process_single.c:114(single_terminate)
>> single_terminate: reason[kdc_tcp_call_loop:
>> tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
>> [2015/05/27 10:09:07.642900, 3]
>> ../auth/kerberos/kerberos_pac.c:386(kerberos_decode_pac)
>> Found account name from PAC: Administrator []
>> [2015/05/27 10:09:07.660999, 3]
>> ../source4/kdc/kpasswdd.c:375(kpasswd_process_request)
>> KURSK\Administrator (S-1-5-21-1939327600-330022255-2124521309-500) is
>> changing password of xviewsion at kursk.mtt
>> [2015/05/27 10:09:07.841347, 3]
>> ../source4/smbd/service_stream.c:66(stream_terminate_connection)
>>
>>
>> 2015-05-27 6:24 GMT+03:00 Krutskikh Ivan <stein.hak at gmail.com>:
>>
>>> Hi everyone,
>>>
>>>
>>> A quick question: Is check password script option working for ad dc
>>> setup? I believe, ad on it's own cannot provide password protection against
>>> dictionaries.
>>>
>>
>>
>
More information about the samba
mailing list