R: password policy on samba 3.0

lu j.lu at tiesse.com
Wed Oct 29 12:40:56 GMT 2003

The "password quality" is a very important issue in Europe, specially in
banking systems, the law force this implementation.
I agree with you on module implementation, but there are things should be
implemented in base code. For ex. the LDAP attribute, we cannot have a lot
of, and different samba.schema in the world.
I will upgrade my patch on 3.0.0, possibly study the module implementation.
Let's see if we can find some compromises.

Jianliang Lu

TieSse s.p.a
Via Jervis, 60 - 10015 Ivrea (To) - Italy
j.lu at tiesse.com
luj at libero.it

-----Messaggio originale-----
Da: Simo Sorce [mailto:simo.sorce at xsec.it]
Inviato: Wednesday, October 29, 2003 12:42 PM
A: Andrew Bartlett
Cc: j.lu at tiesse.com; 'samba-technical'
Oggetto: Re: R: R: password policy on samba 3.0

On Wed, 2003-10-29 at 12:07, Andrew Bartlett wrote:
> I'm not convinced how much Samba should be involved in the 'password
> quality' issue - given how it varies between sites.  There was a patch
> much earlier that put this out to an external script.  (Allowing
> cracklib and the like)

I think the best way could be to add a cascading style to auth modules
(like vfs ones) so that enyone can do it's own policy simply through a
module. However including some basic checking in samba (those expected
by users) seem ok.
> However, if we do make Samba handle this I would like to see the 'old
> passwords' optionally stored in some salted, not MD4() hashed form, or
> in the original cleartext for soundex comparison.

Why? salted? What's wrong with MD4 hashes ?


Simo Sorce - simo.sorce at xsec.it
Xsec s.r.l. - http://www.xsec.it
via Durando 10 Ed. G - 20158 - Milano
mobile: +39 329 328 7702
tel. +39 02 2399 7130 - fax: +39 02 700 442 399

More information about the samba-technical mailing list