[Samba] tdbsam (local) to ldap (tdbldap) backend migration causes pam restrictions not to work anymore?

Bostjan Müller neonatus at gmail.com
Fri Jan 21 10:46:07 GMT 2005


Hi,

I am using samba 3.0.10 on Debian and have had my users in tdbsam
backend untill now.
They have had the ability to change their unix password along with
samba password and besides that I was able to apply some PAM
restrictions to the users password strength via pam_cracklib.so
library.

I have now moved the users into ldap and auth works ok, but I cannot
change users password and still have the password restrictions set (or
can I)?

My previous setup was like this:
smb.conf:
  encrypt passwords = yes
  obey pam restrictions = yes
  passwd chat debug = yes
  smb passwd file = /etc/samba/smbpasswd
  unix password sync = Yes
  passwd program = /usr/bin/passwd %u
  passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*passwd:*all*authentication*tokens*updated*successfully*

/etc/pam.d/samba:
auth           required        pam_unix.so nullok
account                required        pam_unix.so
session                required        pam_unix.so
password      required      pam_cracklib.so minlen=20 ocredit=5
ucredit=3 dcredit=3 lcredit=1
password       required        pam_unix.so

Now I have changed the part in smb.conf to be like this:
passwd program = /usr/bin/ldappasswd -D cn=root,dc=neonatus,dc=net -x
-w 'password_for_root_user' -S uid=%u,ou=People,dc=neonatus,dc=net
passwd chat = *New*password*%n\n*new*password*%n\n

I can however use the 
ldap password sync = yes
and users can change passwords than, but again no pam restriction is
applied (no restriction but password length).

What I would need to have is:
- remember 5 last passwords
- have the ability to force use of letters and numbers in passwords
- force minimal length.

I can do the last, but don't know how to force the other .

I would appreciate any help.

Regards,
Bostjan
-- 
buhdej evridej


More information about the samba mailing list