[Samba] enforcing password compexity (check password script,
cracklib)
Charles McLaughlin
cmclaughlin at ucdavis.edu
Mon Aug 15 20:01:57 GMT 2005
Hello,
I would like to enforce some level of password complexity when users
change their password. I have a Samba PDC running on Debian set to sync
Unix passwords. I'm trying to get Samba to work with cracklib, but it
isn't going well.
Here is what I've tried:
Installed libpam-cracklib, compiled examples/auth/crackcheck and copied
the binary to /usr/local/sbin.
I added the following line to my smb.conf file:
check password script = /usr/local/sbin/crackcheck
Edited /etc/pam.d/common-password to look like this:
password required pam_unix.so nullok obscure min=4 max=8 md5
password required pam_cracklib.so retry=3 minlen=6 difok=3
password required pam_unix.so use_authtok nullok md5
Restarted Samba and tried to change my password from a Windows box and
smbpasswd. I get this error when using smbpasswd:
machine 127.0.0.1 rejected the (anonymous) password change: Error was :
Password restriction.
Failed to change password for cmclaugh
I picked a rather random and strong password, so I believe there is some
misconfiguration.
I would appreciate any advice.
Thanks,
Charles
More information about the samba
mailing list