[Samba] Re: enforcing password complexity (check password script,
cmclaughlin at ucdavis.edu
Sun Nov 20 03:19:38 GMT 2005
I'm posting this for the sake of the archives.
To get this to work I had to generate the cracklib dictionary by running
update-cracklib or /etc/cron.daily/cracklib then specify the cracklib
dictionary on the relevant line in smb.conf:
check password script = /usr/local/sbin/crackcheck -d
Charles McLaughlin wrote:
> I would like to enforce some level of password complexity when users
> change their password. I have a Samba PDC running on Debian set to sync
> Unix passwords. I'm trying to get Samba to work with cracklib, but it
> isn't going well.
> Here is what I've tried:
> Installed libpam-cracklib, compiled examples/auth/crackcheck and copied
> the binary to /usr/local/sbin.
> I added the following line to my smb.conf file:
> check password script = /usr/local/sbin/crackcheck
> Edited /etc/pam.d/common-password to look like this:
> password required pam_unix.so nullok obscure min=4 max=8 md5
> password required pam_cracklib.so retry=3 minlen=6 difok=3
> password required pam_unix.so use_authtok nullok md5
> Restarted Samba and tried to change my password from a Windows box and
> smbpasswd. I get this error when using smbpasswd:
> machine 127.0.0.1 rejected the (anonymous) password change: Error was :
> Password restriction.
> Failed to change password for cmclaugh
> I picked a rather random and strong password, so I believe there is some
> I would appreciate any advice.
More information about the samba