[Samba] Samba-2.2.3a-LDAP-PDC: password policy

Andrew Bartlett abartlet at pcug.org.au
Thu Apr 4 01:53:06 GMT 2002

Thomas Klettke wrote:
> My setup:
> -RH7.2 on a 2.4.17 kernel with acl support
> -samba 2.2.3a, using LDAP (with smbldap-tools), functions as PDC
> Question:
> Before using smbldap-passwd.pl, (meaning: using "passwd") Linux would not
> allow "trivial" passwords (blank, too short, dictionary words, etc.). As I
> understand, one of the tools that enables this is cracklib.
> With LDAP in place, I would like to have the same level of security, e.g.
> preventing my users from using the trivial password that many people love
> soo much.
> Has anyone found a solution to combine ldappasswd, or smbldap-passwd.pl with
> the security of cracklib?

I do this by having my user's change their passwords via PAM and
pam_winbind (I use HEAD for this, where I cleaned up pam_winbind *a
lot*).  I currently don't advertise (or restrict) windows based password
changes - I intend to do this by adding cracklib support to Samba.  (not
as hard as it sounds).

You could do this by setting 'unix password sync' (smb.conf option) and
setting 'passwd program' to point to a script that calls cracklib
itself.  Samba won't change a password without the unix sync occouring

Andrew Bartlett

Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

More information about the samba mailing list