[Samba] password strenght doubt

Cleber P. de Souza cleberps at gmail.com
Wed Dec 27 04:13:05 GMT 2006 

Hi Guido,

There are a set of ways to accomplish such task.
Some I use is:
1) Set obey pam restrictions = yes in the smb.conf file.
2) Set check password script = /usr/sbin/crackcheck -d /usr/lib/cracklib_dict
This check the user password against a dictionary. Crackcheck can be
downloaded from samba
(http://people.samba.org/bzr/mwxia/samba-soc/examples/auth/crackcheck/).
The cracklib package must be installed for the dictionary to work.
3) Use pam pam_cracklib to set your password rules for lower/upper
characters, numbers, special characters, etc:
password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
minlen=8 difok=3 dcredit=-1 lcredit=-1
Or pam_passwdqc for the same thing:
password    requisite    /lib/security/$ISA/pam_passwdqc.so
min=disable,8,8,8,8 max=25 passphrase=0 match=6 similar=deny random=64
enforce=users retry=3
See the man pages for correct options values.
4) You can block users after X retries using pam pam_tally.so, but I
haven't tried this yet.

I think this can help you.


On 12/26/06, Guido Lorenzutti <guido at lorenzutti.com.ar> wrote:
> Maybe I can do this with the "check password script". But I only found
> the cracklib example. Anyone knows a way of doing this? Becouse the
> cracklib example only check agains a dictionary.
>
> Tnxs in advance.
>
>
> Gary Dale wrote:
> > I think you'll find at least some of these are Windows Policies and
> > would not be reflected in the smb.conf file. If you check the Samba
> > Howto collection and the Samba by example documents at samba.org,
> > you'll find examples of how to set some of the policies.
> >
> > To be honest, I've never gone beyond requiring password changes,
> > minimum lengths and histories.  :)
> >
> >
> > Guido Lorenzutti wrote:
> >> Hi people! I have a few problems with the password strength in Samba.
> >> I have a PDC with LDAP on Debian Stable, with a few packages from
> >> backports.
> >> The problem is that I can't find a way to enforce strenght to the
> >> passwords of the users. I can't define a policy to force things like:
> >> number of uppercase letters, number of downcase letters, number of
> >> numbers in the password, to check the diference between the new and
> >> the old, to store a list of old passwords to check... I mean, things
> >> that are requiered to enforce some policy of security by my company.
> >> Bottom line? The users can put his username for password! Not even
> >> that is checked...
> >>
> >> It's something wrong in my setup or is a feature request? I see min
> >> password length.. but.. the rest?
> >>
> >>
> >> This is the important part of my setup:
> >>
> >> [global]
> >> #Network ID
> >>        workgroup = JUSBAIRES
> >>        netbios name = PDC
> >>        netbios aliases = SERVER
> >>        server string =
> >>
> >> #Logs
> >>        debug level = 0
> >>        syslog = 0
> >>        log level = 0
> >>        log file = /var/log/samba/%m.%U.log
> >>        max log size = 10000
> >>        panic action = /usr/share/samba/panic-action %d
> >>
> >> #Network Support
> >>        name resolve order = wins hosts lmhosts bcast
> >>        socket options = TCP_NODELAY SO_RCVBUF=65535 SO_SNDBUF=65535
> >> IPTOS_LOWDELAY SO_KEEPALIVE
> >>        wins support = yes
> >>        wins proxy = yes
> >>        enhanced browsing = yes
> >>        dns proxy = yes
> >>        time server = yes
> >>        local master = yes
> >>        smb ports = 139
> >>
> >> #LDAP
> >>        ldap admin dn =
> >> uid=alem-fs2,ou=security,dc=jusbaires,dc=gov,dc=ar
> >>        ldap suffix = dc=jusbaires,dc=gov,dc=ar
> >>        ldap group suffix = ou=Group
> >>        ldap user suffix = ou=People
> >>        ldap machine suffix = ou=alem,ou=Computers
> >>        ldap delete dn = no
> >>        ldap passwd sync = yes
> >>
> >> #Printer Options
> >>        printcap name = /dev/null
> >>        printing = bsd
> >>        load printers = no
> >>
> >> #Security Options
> >>        admin users = administrador lgiacchetta
> >>        enable privileges = yes
> >>        preferred master = yes
> >>        lm announce = yes
> >>        domain master = yes
> >>        domain logons = yes
> >>        encrypt passwords = yes
> >>        pam password change = yes
> >>        passdb backend = ldapsam:"ldap://127.0.0.1
> >> ldap://alem-ldap.jusbaires.gov.ar
> >> ldap://alem-systemlog.jusbaires.gov.ar"
> >>        passwd chat debug = no
> >>        check password script = /usr/local/bin/crackcheck -d
> >> /var/cache/cracklib/cracklib_dict
> >>        unix charset = 850
> >>        dont descend = .recycle
> >>        delete veto files = yes
> >>        restrict anonymous = 1
> >>
> >> #Profiles stuff
> >>        logon script = netlogon.%U.bat
> >>        logon path = \\PDC\profiles\%U
> >>        logon home = \\PDC\personal
> >>        logon drive = H:
> >>        hide files = /Desktop.ini/desktop.ini/
> >>        hide dot files = yes
> >
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>


-- 
***
Cleber P. de Souza

More information about the samba mailing list