[Samba] Strong Password Enforcement (Windows-side)

Adam Williams adam at morrison-ind.com
Thu Oct 2 20:31:49 GMT 2003

> Before I begin, big thanks to John Terpstra for helping me out with my
> previous issues.
> But alas I have another issue, I need to enforce strong passwords on
> windows side (i.e. ctrl+alt+delete change password), minimum password
> length, can't be dictionary words, etc. etc.

You can specify minimum password length, but not much beyond that. 
There is a section of the Samba code that says "insert cracklib support
here".  I'd image that is what we all want to see happen.

> (Setup is Samba 3.0.0 as PDC with LDAP passdb)

Same here.

> >From what I undersatnd previously this could've been done using
> pam_smbpass or a policy pushed out from netlogon, but I'm dealing with a
> mixed environment of 2k/XP, and I read that nt4 policies don't work with
> XP.  And it would appear that when using ldap password sync it bypasses
> pam(?).

Yes, it does.

> Also I've seen alot about Group Policy Editor, but it seems that's only
> useful if you're using AD.
> Is this perhaps the direction pdbedit is going towards?  it would be quite
> nifty to have a single command to edit (or generate) domain policies. It
> seemed to work with altering the minimum password length, but it only goes so
> far.

I think cracklib support in Samba is what we want.

More information about the samba mailing list