[Samba] password strenght doubt
Guido Lorenzutti
guido at lorenzutti.com.ar
Wed Dec 27 23:05:27 GMT 2006
welll.... obey pam restrictions and "encrypt passwords = yes" dosen't
work at the same time. If you select "encrypt passwords = yes" "obey pam
.." dosen't work anymore. And I cant say no to encrypt passwords...
Any other idea?
Guido Lorenzutti wrote:
> Thank you for you answear, but I try what you say and it dosen't work.
> I now using obey pam restrictions, I restart samba... and this is my
> pam config:
>
> bowman:/var/log# cat /etc/pam.d/samba
> account required /lib/security/pam_unix.so
> account sufficient /lib/security/pam_ldap.so
> auth required /lib/security/pam_env.so
> auth sufficient /lib/security/pam_unix.so likeauth nullok shadow
> auth sufficient /lib/security/pam_ldap.so use_first_pass
> auth required /lib/security/pam_deny.so
> password required /lib/security/pam_cracklib.so minlen=6 dcredit=2
> difok=2 retry=3
> password sufficient /lib/security/pam_unix.so nullok use_authtok
> shadow md5
> password sufficient /lib/security/pam_ldap.so use_authtok
> password required /lib/security/pam_deny.so
> session required /lib/security/pam_limits.so
> session required /lib/security/pam_unix.so
> session required /lib/security/pam_mkhomedir.so skel=/etc/skel/
> umask=077
> session optional /lib/security/pam_ldap.so
>
> bowman:/var/log# testparm -v | grep obey
> Load smb config files from /etc/samba/smb.conf
> Processing section "[personal]"
> Processing section "[netlogon]"
> Processing section "[profiles]"
> Processing section "[publico]"
> Processing section "[Grupos]"
> Processing section "[profiles2]"
> Processing section "[payroll]"
> Processing section "[payrolladmin]"
> Processing section "[Aida]"
> Processing section "[esempi]"
> Loaded services file OK.
> Server role: ROLE_DOMAIN_PDC
> Press enter to see a dump of your service definitions
>
> obey pam restrictions = Yes
>
> But when I try to change the password, I can use my old one still. I
> can use a password withouth the two digits... like nothing.
> Are you sure that with ldap the obey pam restrictions works?
>
> Thanks in advance... Sorry for my english.
>
>
> Cleber P. de Souza wrote:
>> Hi Guido,
>>
>> There are a set of ways to accomplish such task.
>> Some I use is:
>> 1) Set obey pam restrictions = yes in the smb.conf file.
>> 2) Set check password script = /usr/sbin/crackcheck -d
>> /usr/lib/cracklib_dict
>> This check the user password against a dictionary. Crackcheck can be
>> downloaded from samba
>> (http://people.samba.org/bzr/mwxia/samba-soc/examples/auth/crackcheck/).
>> The cracklib package must be installed for the dictionary to work.
>> 3) Use pam pam_cracklib to set your password rules for lower/upper
>> characters, numbers, special characters, etc:
>> password requisite /lib/security/$ISA/pam_cracklib.so retry=3
>> minlen=8 difok=3 dcredit=-1 lcredit=-1
>> Or pam_passwdqc for the same thing:
>> password requisite /lib/security/$ISA/pam_passwdqc.so
>> min=disable,8,8,8,8 max=25 passphrase=0 match=6 similar=deny random=64
>> enforce=users retry=3
>> See the man pages for correct options values.
>> 4) You can block users after X retries using pam pam_tally.so, but I
>> haven't tried this yet.
>>
>> I think this can help you.
>>
>>
>> On 12/26/06, Guido Lorenzutti <guido at lorenzutti.com.ar> wrote:
>>> Maybe I can do this with the "check password script". But I only found
>>> the cracklib example. Anyone knows a way of doing this? Becouse the
>>> cracklib example only check agains a dictionary.
>>>
>>> Tnxs in advance.
>>>
>>>
>>> Gary Dale wrote:
>>> > I think you'll find at least some of these are Windows Policies and
>>> > would not be reflected in the smb.conf file. If you check the Samba
>>> > Howto collection and the Samba by example documents at samba.org,
>>> > you'll find examples of how to set some of the policies.
>>> >
>>> > To be honest, I've never gone beyond requiring password changes,
>>> > minimum lengths and histories. :)
>>> >
>>> >
>>> > Guido Lorenzutti wrote:
>>> >> Hi people! I have a few problems with the password strength in
>>> Samba.
>>> >> I have a PDC with LDAP on Debian Stable, with a few packages from
>>> >> backports.
>>> >> The problem is that I can't find a way to enforce strenght to the
>>> >> passwords of the users. I can't define a policy to force things
>>> like:
>>> >> number of uppercase letters, number of downcase letters, number of
>>> >> numbers in the password, to check the diference between the new and
>>> >> the old, to store a list of old passwords to check... I mean, things
>>> >> that are requiered to enforce some policy of security by my company.
>>> >> Bottom line? The users can put his username for password! Not even
>>> >> that is checked...
>>> >>
>>> >> It's something wrong in my setup or is a feature request? I see min
>>> >> password length.. but.. the rest?
>>> >>
>>> >>
>>> >> This is the important part of my setup:
>>> >>
>>> >> [global]
>>> >> #Network ID
>>> >> workgroup = JUSBAIRES
>>> >> netbios name = PDC
>>> >> netbios aliases = SERVER
>>> >> server string =
>>> >>
>>> >> #Logs
>>> >> debug level = 0
>>> >> syslog = 0
>>> >> log level = 0
>>> >> log file = /var/log/samba/%m.%U.log
>>> >> max log size = 10000
>>> >> panic action = /usr/share/samba/panic-action %d
>>> >>
>>> >> #Network Support
>>> >> name resolve order = wins hosts lmhosts bcast
>>> >> socket options = TCP_NODELAY SO_RCVBUF=65535 SO_SNDBUF=65535
>>> >> IPTOS_LOWDELAY SO_KEEPALIVE
>>> >> wins support = yes
>>> >> wins proxy = yes
>>> >> enhanced browsing = yes
>>> >> dns proxy = yes
>>> >> time server = yes
>>> >> local master = yes
>>> >> smb ports = 139
>>> >>
>>> >> #LDAP
>>> >> ldap admin dn =
>>> >> uid=alem-fs2,ou=security,dc=jusbaires,dc=gov,dc=ar
>>> >> ldap suffix = dc=jusbaires,dc=gov,dc=ar
>>> >> ldap group suffix = ou=Group
>>> >> ldap user suffix = ou=People
>>> >> ldap machine suffix = ou=alem,ou=Computers
>>> >> ldap delete dn = no
>>> >> ldap passwd sync = yes
>>> >>
>>> >> #Printer Options
>>> >> printcap name = /dev/null
>>> >> printing = bsd
>>> >> load printers = no
>>> >>
>>> >> #Security Options
>>> >> admin users = administrador lgiacchetta
>>> >> enable privileges = yes
>>> >> preferred master = yes
>>> >> lm announce = yes
>>> >> domain master = yes
>>> >> domain logons = yes
>>> >> encrypt passwords = yes
>>> >> pam password change = yes
>>> >> passdb backend = ldapsam:"ldap://127.0.0.1
>>> >> ldap://alem-ldap.jusbaires.gov.ar
>>> >> ldap://alem-systemlog.jusbaires.gov.ar"
>>> >> passwd chat debug = no
>>> >> check password script = /usr/local/bin/crackcheck -d
>>> >> /var/cache/cracklib/cracklib_dict
>>> >> unix charset = 850
>>> >> dont descend = .recycle
>>> >> delete veto files = yes
>>> >> restrict anonymous = 1
>>> >>
>>> >> #Profiles stuff
>>> >> logon script = netlogon.%U.bat
>>> >> logon path = \\PDC\profiles\%U
>>> >> logon home = \\PDC\personal
>>> >> logon drive = H:
>>> >> hide files = /Desktop.ini/desktop.ini/
>>> >> hide dot files = yes
>>> >
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/listinfo/samba
>>>
>>
>>
>
More information about the samba
mailing list