[Samba] Re: Password Aging Policies - SAMBA

richard rcoates at bigpond.net.au
Sat Apr 5 15:26:26 GMT 2003


	Eyal, I cc this email to the list so others may contribute...
below are some simple password history scripting ideas i fiddled with a
while ago. It runs from command line with username as argument.. (Maybe
others have better ideas??)
I found little useful info on the web or in lists.
Not sure of the best way to interface/wrap with smbpasswd? 
problem--There doesen't seem to be a (samba)mechanism to communicate
errors/feedback to clients....Samba3 may have this ability sometime in
the future?
	Or..Xp-pro has lots of fancy user/pass/stuff already builtin, trouble
is you need group-policy/active-directory to make use of them. Unless
parts of A/D can be duplicated in samba one day?
	Local-policies(xp-pro) as far as user/password stuff goes, work fine in
a workgroup environment. You can use xp built in security tools
here.Supposedly its possible for local security policy(xp-pro) to apply
in a samba domain, but I couldn't get password stuff to work. This is
what I have found after many hours searching/testing. I hope others will
jump in with their contributions. script below to play with, regards,
Richard Coates.

#!/bin/sh

# samba TESTING password history script Jan 2003, R.Coates
# could use encrypted hash from smbpasswd file instead of plain text
# change vars to suit
#mypath=/etc/samba          # redhat path to samba config
mypath=/root                # test path
hist=5                      # number of passwords to keep
user=$1                     # username ;passwd as 1st argument

# setup check; does "history" exist; create, set permissions
if ! [ -d $mypath/history >/dev/null  ] ;then
  mkdir $mypath/history
  chmod 600 $mypath/history
fi
# at sambapassword change
#   1: new password is compared to history

#   2: if matched, error messg sent to user, retry
       # ** problem **
#   3: if not matched
#      new password appended to "history file"
#      execute smbpasswd -a newpasswd to update samba password

#   4: history file truncated to "n" most recent entries

echo "enter newpassword"
read newpass
read newpass1

if ` grep $newpass $mypath/history/$user >/dev/null`;then
  echo "password in recent history..try again"
else echo $newpass >> $mypath/history/$user    # update history
  echo $newpass   > $mypath/history/tmp        # write tmp password file
  echo $newpass1 >> $mypath/history/tmp
  tail -$hist $mypath/history/$user > $mypath/history/$user.tmp  #
truncate history
  mv -f $mypath/history/$user.tmp $mypath/history/$user

  #execute smbpasswd -a here
  smbpasswd -s -a $user < $mypath/history/tmp  # update samba password
from tmp file
  rm -f $mypath/history/tmp  >/dev/null        # remove tmp password
file
fi


On Sat, 2003-04-05 at 01:07, EyalM at cardonhealthcare.com wrote:
> My scripting knowledge is good, but i dont know where to look in. do you 
> have any idea where to start?
> 
> 
> 
> 
> 
> Eyal Marantenboim <eyal at eyal.com.ar>
> 04/04/2003 07:14
> 
>  
>         To:     eyalm at cardonhealthcare.com
>         cc: 
>         Subject:        Fwd: Re: [Samba] Re: Password Aging Policies - SAMBA
> 
> 
> >Subject: Re: [Samba] Re: Password Aging Policies - SAMBA
> >From: richard <rcoates at bigpond.net.au>
> >To: Eyal M <eyal at eyal.com.ar>
> >Date: 04 Apr 2003 08:27:01 +1000
> >
> >I am also... have been for months and have found zip. hows your
> >scripting knowledge?
> >Richard.
> >
> >On Fri, 2003-04-04 at 08:57, Eyal M wrote:
> >>  Im looking for a solution to password aging, do u know where I can get 
> one?
> >>
> >>  Eyal.
> >>
> >>  <ascannel at fws.gov> wrote in message
> >>  news:OFEEB22D6F.70D864FE-ON89256CFD.007470D9-89256CFD.00755439 at irm.r9.fws.go
> >>  v...
> >>  >
> >>  >
> >>  > >I am sorry if this is a lame question, but I am setting up a 
> Primary
> >>  > Domain Controller and a Backup Domain Controller. All the clients 
> are
> >>  > Windows >2K or XP. I need the clients to reset their passwords every 
> 30
> >>  > days. I am having a hard time locating a procedure to set this 
> feature.
> >>  > LINUX has >'chage' but that does not seem to apply to SAMBA.
> >>  >
> >>  > Samba 2.x does not have this built in.  Looks like Samba 3.0 will 
> have
> >>  this
> >>  > as a feature.  For now you get to do it yourself.  If you check the
> >>  > archives you'll find a number of homebrew solutions to password 
> aging.
> >>  >
> >>  > Patrick
> >>  >
> >>  >
> >>  >
> >>  >
> >>  >
> >>  > --
> >>  > To unsubscribe from this list go to the following URL and read the
> >>  > instructions:  http://lists.samba.org/mailman/listinfo/samba
> >>  >
> >>
> >>
> >>
> >>  --
> >>  To unsubscribe from this list go to the following URL and read the
> >>  instructions:  http://lists.samba.org/mailman/listinfo/samba
> 
> 
> 




More information about the samba mailing list