[Samba] samba password complexity help?
Morgan Toal
mtoal at burlingtoniowa.org
Mon Dec 21 07:50:19 MST 2009
Hi there,
I'll repost this, as I'm kind of needing to get some resolution on this
issue. If anyone has some documentation they could point me to I'd
appreciate it, or perhaps a sample check password script suitable for
Fedora 11.
Thanks!!!
mtoal
-------- Original Message --------
Subject: [Samba] samba password complexity help?
Date: Thu, 17 Dec 2009 14:38:34 -0600
From: Morgan Toal <mtoal at burlingtoniowa.org>
To: samba at lists.samba.org
Hi there,
Here are the facts:
- I have samba 3.4.2-0.42.fc11 running on a Fedora 11 system.
- Samba is acting as a domain controller, no Windows server involved.
- I am using tdbsam.
- I need to enforce certain password requirements.
The password requirements are:
- min 8 characters
- expiration 90 days
- last 10 passwords may not be reused
- not a dictionary word
Per the Samba 3.2 FAQ, the first three requirements are easily
accomplished via pdbedit:
# pdbedit -P "min password length" -C 8
# pdbedit -P "password history" -C 10
# pdbedit -P "maximum password age" -C 90
These items appear to work with no difficulty. However this does not
address the dictionary/complexity requirement.
I have seen the following suggestion elsewhere on the samba list:
check password script = /usr/local/sbin/crackcheck -d
/var/cache/cracklib/cracklib_dict
I am not able to use this suggestion directly. No file "crackcheck" is
present on my system. There is a /usr/sbin/cracklib-check but it seems
to work on a file or stream, like grep or something, as opposed to
returning a value as a function. And it does not seem to accept a "-d"
switch. There seems to be no man page for cracklib-check. I have a
dictionary in /usr/share/cracklib
Here is what cracklib-check does...
# cracklib-check
test
test: it is too short
booger
booger: it is based on a dictionary word
bfg9000
bfg9000: OK
^C
# cracklib-check booger <-- attempting to check password "booger"
^C <-- sits there for input, ctrl-c to get out
It does not seem to be a program that "returns" something, so I don't
think it can return an error code to Samba if I use a crappy password.
But I try this anyway, but it does not seem to accomplish anything. I
see nothing in /var/log/messages or in /var/log/samba/log.smbd
check password script = /usr/sbin/cracklib-check /usr/share/cracklib/pw_dict
Well, it doesn't seem to work when I change my password from a windows
client. Does anyone have any suggestions? Thanks.
So what it boils down to is:
0) what am I missing here?
1) where can I get an example crackcheck script file?
2) I have seen other suggestions to use pam. This might supersede some
of the tdbsam policy requirements. Is this a better method?
--
Morgan Toal, CFCE, RHCE, CEH
Network Manager
City of Burlington, Iowa
319-759-8882
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list