[Samba] Re: enforcing password complexity (check password script,
cracklib)
Charles McLaughlin
cmclaughlin at ucdavis.edu
Sun Nov 20 03:19:38 GMT 2005
I'm posting this for the sake of the archives.
To get this to work I had to generate the cracklib dictionary by running
update-cracklib or /etc/cron.daily/cracklib then specify the cracklib
dictionary on the relevant line in smb.conf:
check password script = /usr/local/sbin/crackcheck -d
/var/cache/cracklib/cracklib_dict
Charles
Charles McLaughlin wrote:
> Hello,
>
> I would like to enforce some level of password complexity when users
> change their password. I have a Samba PDC running on Debian set to sync
> Unix passwords. I'm trying to get Samba to work with cracklib, but it
> isn't going well.
>
> Here is what I've tried:
>
> Installed libpam-cracklib, compiled examples/auth/crackcheck and copied
> the binary to /usr/local/sbin.
>
> I added the following line to my smb.conf file:
>
> check password script = /usr/local/sbin/crackcheck
>
> Edited /etc/pam.d/common-password to look like this:
>
> password required pam_unix.so nullok obscure min=4 max=8 md5
> password required pam_cracklib.so retry=3 minlen=6 difok=3
> password required pam_unix.so use_authtok nullok md5
>
> Restarted Samba and tried to change my password from a Windows box and
> smbpasswd. I get this error when using smbpasswd:
>
> machine 127.0.0.1 rejected the (anonymous) password change: Error was :
> Password restriction.
> Failed to change password for cmclaugh
>
> I picked a rather random and strong password, so I believe there is some
> misconfiguration.
>
> I would appreciate any advice.
>
> Thanks,
> Charles
>
More information about the samba
mailing list