[Samba] Re: enforcing password complexity (check password script, cracklib)

Charles McLaughlin cmclaughlin at ucdavis.edu
Sun Nov 20 03:19:38 GMT 2005

I'm posting this for the sake of the archives.

To get this to work I had to generate the cracklib dictionary by running 
update-cracklib or /etc/cron.daily/cracklib then specify the cracklib 
dictionary on the relevant line in smb.conf:

check password script = /usr/local/sbin/crackcheck -d 


Charles McLaughlin wrote:
> Hello,
> I would like to enforce some level of password complexity when users 
> change their password.  I have a Samba PDC running on Debian set to sync 
> Unix passwords.  I'm trying to get Samba to work with cracklib, but it 
> isn't going well.
> Here is what I've tried:
> Installed libpam-cracklib, compiled examples/auth/crackcheck and copied 
> the binary to /usr/local/sbin.
> I added the following line to my smb.conf file:
> check password script = /usr/local/sbin/crackcheck
> Edited /etc/pam.d/common-password to look like this:
> password required         pam_unix.so nullok obscure min=4 max=8 md5
> password required         pam_cracklib.so retry=3 minlen=6 difok=3
> password required         pam_unix.so use_authtok nullok md5
> Restarted Samba and tried to change my password from a Windows box and 
> smbpasswd.  I get this error when using smbpasswd:
> machine rejected the (anonymous) password change: Error was : 
> Password restriction.
> Failed to change password for cmclaugh
> I picked a rather random and strong password, so I believe there is some 
> misconfiguration.
> I would appreciate any advice.
> Thanks,
> Charles

More information about the samba mailing list