[Samba] tdbsam (local) to ldap (tdbldap) backend migration causes
pam restrictions not to work anymore?
Bostjan Müller
neonatus at gmail.com
Fri Jan 21 10:46:07 GMT 2005
Hi,
I am using samba 3.0.10 on Debian and have had my users in tdbsam
backend untill now.
They have had the ability to change their unix password along with
samba password and besides that I was able to apply some PAM
restrictions to the users password strength via pam_cracklib.so
library.
I have now moved the users into ldap and auth works ok, but I cannot
change users password and still have the password restrictions set (or
can I)?
My previous setup was like this:
smb.conf:
encrypt passwords = yes
obey pam restrictions = yes
passwd chat debug = yes
smb passwd file = /etc/samba/smbpasswd
unix password sync = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*passwd:*all*authentication*tokens*updated*successfully*
/etc/pam.d/samba:
auth required pam_unix.so nullok
account required pam_unix.so
session required pam_unix.so
password required pam_cracklib.so minlen=20 ocredit=5
ucredit=3 dcredit=3 lcredit=1
password required pam_unix.so
Now I have changed the part in smb.conf to be like this:
passwd program = /usr/bin/ldappasswd -D cn=root,dc=neonatus,dc=net -x
-w 'password_for_root_user' -S uid=%u,ou=People,dc=neonatus,dc=net
passwd chat = *New*password*%n\n*new*password*%n\n
I can however use the
ldap password sync = yes
and users can change passwords than, but again no pam restriction is
applied (no restriction but password length).
What I would need to have is:
- remember 5 last passwords
- have the ability to force use of letters and numbers in passwords
- force minimal length.
I can do the last, but don't know how to force the other .
I would appreciate any help.
Regards,
Bostjan
--
buhdej evridej
More information about the samba
mailing list