[Samba] password strenght doubt
guido at lorenzutti.com.ar
Wed Dec 27 22:53:08 GMT 2006
Thank you for you answear, but I try what you say and it dosen't work.
I now using obey pam restrictions, I restart samba... and this is my pam
bowman:/var/log# cat /etc/pam.d/samba
account required /lib/security/pam_unix.so
account sufficient /lib/security/pam_ldap.so
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok shadow
auth sufficient /lib/security/pam_ldap.so use_first_pass
auth required /lib/security/pam_deny.so
password required /lib/security/pam_cracklib.so minlen=6 dcredit=2
password sufficient /lib/security/pam_unix.so nullok use_authtok
password sufficient /lib/security/pam_ldap.so use_authtok
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
session required /lib/security/pam_mkhomedir.so skel=/etc/skel/
session optional /lib/security/pam_ldap.so
bowman:/var/log# testparm -v | grep obey
Load smb config files from /etc/samba/smb.conf
Processing section "[personal]"
Processing section "[netlogon]"
Processing section "[profiles]"
Processing section "[publico]"
Processing section "[Grupos]"
Processing section "[profiles2]"
Processing section "[payroll]"
Processing section "[payrolladmin]"
Processing section "[Aida]"
Processing section "[esempi]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions
obey pam restrictions = Yes
But when I try to change the password, I can use my old one still. I can
use a password withouth the two digits... like nothing.
Are you sure that with ldap the obey pam restrictions works?
Thanks in advance... Sorry for my english.
Cleber P. de Souza wrote:
> Hi Guido,
> There are a set of ways to accomplish such task.
> Some I use is:
> 1) Set obey pam restrictions = yes in the smb.conf file.
> 2) Set check password script = /usr/sbin/crackcheck -d
> This check the user password against a dictionary. Crackcheck can be
> downloaded from samba
> The cracklib package must be installed for the dictionary to work.
> 3) Use pam pam_cracklib to set your password rules for lower/upper
> characters, numbers, special characters, etc:
> password requisite /lib/security/$ISA/pam_cracklib.so retry=3
> minlen=8 difok=3 dcredit=-1 lcredit=-1
> Or pam_passwdqc for the same thing:
> password requisite /lib/security/$ISA/pam_passwdqc.so
> min=disable,8,8,8,8 max=25 passphrase=0 match=6 similar=deny random=64
> enforce=users retry=3
> See the man pages for correct options values.
> 4) You can block users after X retries using pam pam_tally.so, but I
> haven't tried this yet.
> I think this can help you.
> On 12/26/06, Guido Lorenzutti <guido at lorenzutti.com.ar> wrote:
>> Maybe I can do this with the "check password script". But I only found
>> the cracklib example. Anyone knows a way of doing this? Becouse the
>> cracklib example only check agains a dictionary.
>> Tnxs in advance.
>> Gary Dale wrote:
>> > I think you'll find at least some of these are Windows Policies and
>> > would not be reflected in the smb.conf file. If you check the Samba
>> > Howto collection and the Samba by example documents at samba.org,
>> > you'll find examples of how to set some of the policies.
>> > To be honest, I've never gone beyond requiring password changes,
>> > minimum lengths and histories. :)
>> > Guido Lorenzutti wrote:
>> >> Hi people! I have a few problems with the password strength in Samba.
>> >> I have a PDC with LDAP on Debian Stable, with a few packages from
>> >> backports.
>> >> The problem is that I can't find a way to enforce strenght to the
>> >> passwords of the users. I can't define a policy to force things like:
>> >> number of uppercase letters, number of downcase letters, number of
>> >> numbers in the password, to check the diference between the new and
>> >> the old, to store a list of old passwords to check... I mean, things
>> >> that are requiered to enforce some policy of security by my company.
>> >> Bottom line? The users can put his username for password! Not even
>> >> that is checked...
>> >> It's something wrong in my setup or is a feature request? I see min
>> >> password length.. but.. the rest?
>> >> This is the important part of my setup:
>> >> [global]
>> >> #Network ID
>> >> workgroup = JUSBAIRES
>> >> netbios name = PDC
>> >> netbios aliases = SERVER
>> >> server string =
>> >> #Logs
>> >> debug level = 0
>> >> syslog = 0
>> >> log level = 0
>> >> log file = /var/log/samba/%m.%U.log
>> >> max log size = 10000
>> >> panic action = /usr/share/samba/panic-action %d
>> >> #Network Support
>> >> name resolve order = wins hosts lmhosts bcast
>> >> socket options = TCP_NODELAY SO_RCVBUF=65535 SO_SNDBUF=65535
>> >> IPTOS_LOWDELAY SO_KEEPALIVE
>> >> wins support = yes
>> >> wins proxy = yes
>> >> enhanced browsing = yes
>> >> dns proxy = yes
>> >> time server = yes
>> >> local master = yes
>> >> smb ports = 139
>> >> #LDAP
>> >> ldap admin dn =
>> >> uid=alem-fs2,ou=security,dc=jusbaires,dc=gov,dc=ar
>> >> ldap suffix = dc=jusbaires,dc=gov,dc=ar
>> >> ldap group suffix = ou=Group
>> >> ldap user suffix = ou=People
>> >> ldap machine suffix = ou=alem,ou=Computers
>> >> ldap delete dn = no
>> >> ldap passwd sync = yes
>> >> #Printer Options
>> >> printcap name = /dev/null
>> >> printing = bsd
>> >> load printers = no
>> >> #Security Options
>> >> admin users = administrador lgiacchetta
>> >> enable privileges = yes
>> >> preferred master = yes
>> >> lm announce = yes
>> >> domain master = yes
>> >> domain logons = yes
>> >> encrypt passwords = yes
>> >> pam password change = yes
>> >> passdb backend = ldapsam:"ldap://127.0.0.1
>> >> ldap://alem-ldap.jusbaires.gov.ar
>> >> ldap://alem-systemlog.jusbaires.gov.ar"
>> >> passwd chat debug = no
>> >> check password script = /usr/local/bin/crackcheck -d
>> >> /var/cache/cracklib/cracklib_dict
>> >> unix charset = 850
>> >> dont descend = .recycle
>> >> delete veto files = yes
>> >> restrict anonymous = 1
>> >> #Profiles stuff
>> >> logon script = netlogon.%U.bat
>> >> logon path = \\PDC\profiles\%U
>> >> logon home = \\PDC\personal
>> >> logon drive = H:
>> >> hide files = /Desktop.ini/desktop.ini/
>> >> hide dot files = yes
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/listinfo/samba
More information about the samba