[Samba] password strenght doubt (maximum password age not working)

Guido Lorenzutti guido at lorenzutti.com.ar
Wed Dec 27 23:32:18 GMT 2006


Allright! I fix one of the problems. How can you check that the user is 
not using an old password?

pdbedit -P list
No account policy by that name
Account policy names are :
min password length
password history
user must logon to change password
maximum password age
minimum password age
lockout duration
reset count minutes
bad lockout attempt
disconnect time
refuse machine password change

pdbedit -P "password history" -C 4

This actually works! Now my ldiff shows:
smbldap-usershow glorenzutti | grep sambaPassword
sambaPasswordHistory: 
09DEA23A420CB589FB6F14988B67FF0B839BD8518FBEA395AEFA6F77E907F630245AC934D62C1472F2324A977F76616E5670EF67F0793D8218977A2BAAD03817813D37ACA0EC6DBF46AF0B507B55E09D6431E1A0E609D0013DACB3B0BD4CD7350000000000000000000000000000000000000000000000000000000000000000

This is great. I have working this and the dictionary passwords with the 
"check password script".

Know what Im missing:

1) check that the new password is not similar to the old one.
2) check that the new password has at least 2 digits.

The thing I found that dosen't work is the pdbedit -P "maximum password 
age" -C someunixtime
The default says 4294967295 and if I put 1180224000 instead ( 6 months 
), when I change a password it goes to 1907!

Any clues?

Thanks.



Guido Lorenzutti wrote:
> welll.... obey pam restrictions and "encrypt passwords = yes" dosen't 
> work at the same time. If you select "encrypt passwords = yes" "obey 
> pam .." dosen't work anymore. And I cant say no to encrypt passwords...
>
> Any other idea?
>
>
> Guido Lorenzutti wrote:
>> Thank you for you answear, but I try what you say and it dosen't work.
>> I now using obey pam restrictions, I restart samba... and this is my 
>> pam config:
>>
>> bowman:/var/log# cat /etc/pam.d/samba
>> account required  /lib/security/pam_unix.so
>> account sufficient  /lib/security/pam_ldap.so
>> auth    required    /lib/security/pam_env.so
>> auth    sufficient  /lib/security/pam_unix.so likeauth nullok shadow
>> auth    sufficient  /lib/security/pam_ldap.so use_first_pass
>> auth    required    /lib/security/pam_deny.so
>> password    required /lib/security/pam_cracklib.so minlen=6 dcredit=2 
>> difok=2 retry=3
>> password    sufficient /lib/security/pam_unix.so nullok use_authtok 
>> shadow md5
>> password    sufficient /lib/security/pam_ldap.so use_authtok
>> password    required /lib/security/pam_deny.so
>> session required    /lib/security/pam_limits.so
>> session required    /lib/security/pam_unix.so
>> session required     /lib/security/pam_mkhomedir.so skel=/etc/skel/ 
>> umask=077
>> session optional    /lib/security/pam_ldap.so
>>
>> bowman:/var/log# testparm -v | grep obey
>> Load smb config files from /etc/samba/smb.conf
>> Processing section "[personal]"
>> Processing section "[netlogon]"
>> Processing section "[profiles]"
>> Processing section "[publico]"
>> Processing section "[Grupos]"
>> Processing section "[profiles2]"
>> Processing section "[payroll]"
>> Processing section "[payrolladmin]"
>> Processing section "[Aida]"
>> Processing section "[esempi]"
>> Loaded services file OK.
>> Server role: ROLE_DOMAIN_PDC
>> Press enter to see a dump of your service definitions
>>
>>        obey pam restrictions = Yes
>>
>> But when I try to change the password, I can use my old one still. I 
>> can use a password withouth the two digits... like nothing.
>> Are you sure that with ldap the obey pam restrictions works?
>>
>> Thanks in advance... Sorry for my english.
>>
>>
>> Cleber P. de Souza wrote:
>>> Hi Guido,
>>>
>>> There are a set of ways to accomplish such task.
>>> Some I use is:
>>> 1) Set obey pam restrictions = yes in the smb.conf file.
>>> 2) Set check password script = /usr/sbin/crackcheck -d 
>>> /usr/lib/cracklib_dict
>>> This check the user password against a dictionary. Crackcheck can be
>>> downloaded from samba
>>> (http://people.samba.org/bzr/mwxia/samba-soc/examples/auth/crackcheck/). 
>>>
>>> The cracklib package must be installed for the dictionary to work.
>>> 3) Use pam pam_cracklib to set your password rules for lower/upper
>>> characters, numbers, special characters, etc:
>>> password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
>>> minlen=8 difok=3 dcredit=-1 lcredit=-1
>>> Or pam_passwdqc for the same thing:
>>> password    requisite    /lib/security/$ISA/pam_passwdqc.so
>>> min=disable,8,8,8,8 max=25 passphrase=0 match=6 similar=deny random=64
>>> enforce=users retry=3
>>> See the man pages for correct options values.
>>> 4) You can block users after X retries using pam pam_tally.so, but I
>>> haven't tried this yet.
>>>
>>> I think this can help you.
>>>
>>>
>>> On 12/26/06, Guido Lorenzutti <guido at lorenzutti.com.ar> wrote:
>>>> Maybe I can do this with the "check password script". But I only found
>>>> the cracklib example. Anyone knows a way of doing this? Becouse the
>>>> cracklib example only check agains a dictionary.
>>>>
>>>> Tnxs in advance.
>>>>
>>>>
>>>> Gary Dale wrote:
>>>> > I think you'll find at least some of these are Windows Policies and
>>>> > would not be reflected in the smb.conf file. If you check the Samba
>>>> > Howto collection and the Samba by example documents at samba.org,
>>>> > you'll find examples of how to set some of the policies.
>>>> >
>>>> > To be honest, I've never gone beyond requiring password changes,
>>>> > minimum lengths and histories.  :)
>>>> >
>>>> >
>>>> > Guido Lorenzutti wrote:
>>>> >> Hi people! I have a few problems with the password strength in 
>>>> Samba.
>>>> >> I have a PDC with LDAP on Debian Stable, with a few packages from
>>>> >> backports.
>>>> >> The problem is that I can't find a way to enforce strenght to the
>>>> >> passwords of the users. I can't define a policy to force things 
>>>> like:
>>>> >> number of uppercase letters, number of downcase letters, number of
>>>> >> numbers in the password, to check the diference between the new and
>>>> >> the old, to store a list of old passwords to check... I mean, 
>>>> things
>>>> >> that are requiered to enforce some policy of security by my 
>>>> company.
>>>> >> Bottom line? The users can put his username for password! Not even
>>>> >> that is checked...
>>>> >>
>>>> >> It's something wrong in my setup or is a feature request? I see min
>>>> >> password length.. but.. the rest?
>>>> >>
>>>> >>
>>>> >> This is the important part of my setup:
>>>> >>
>>>> >> [global]
>>>> >> #Network ID
>>>> >>        workgroup = JUSBAIRES
>>>> >>        netbios name = PDC
>>>> >>        netbios aliases = SERVER
>>>> >>        server string =
>>>> >>
>>>> >> #Logs
>>>> >>        debug level = 0
>>>> >>        syslog = 0
>>>> >>        log level = 0
>>>> >>        log file = /var/log/samba/%m.%U.log
>>>> >>        max log size = 10000
>>>> >>        panic action = /usr/share/samba/panic-action %d
>>>> >>
>>>> >> #Network Support
>>>> >>        name resolve order = wins hosts lmhosts bcast
>>>> >>        socket options = TCP_NODELAY SO_RCVBUF=65535 SO_SNDBUF=65535
>>>> >> IPTOS_LOWDELAY SO_KEEPALIVE
>>>> >>        wins support = yes
>>>> >>        wins proxy = yes
>>>> >>        enhanced browsing = yes
>>>> >>        dns proxy = yes
>>>> >>        time server = yes
>>>> >>        local master = yes
>>>> >>        smb ports = 139
>>>> >>
>>>> >> #LDAP
>>>> >>        ldap admin dn =
>>>> >> uid=alem-fs2,ou=security,dc=jusbaires,dc=gov,dc=ar
>>>> >>        ldap suffix = dc=jusbaires,dc=gov,dc=ar
>>>> >>        ldap group suffix = ou=Group
>>>> >>        ldap user suffix = ou=People
>>>> >>        ldap machine suffix = ou=alem,ou=Computers
>>>> >>        ldap delete dn = no
>>>> >>        ldap passwd sync = yes
>>>> >>
>>>> >> #Printer Options
>>>> >>        printcap name = /dev/null
>>>> >>        printing = bsd
>>>> >>        load printers = no
>>>> >>
>>>> >> #Security Options
>>>> >>        admin users = administrador lgiacchetta
>>>> >>        enable privileges = yes
>>>> >>        preferred master = yes
>>>> >>        lm announce = yes
>>>> >>        domain master = yes
>>>> >>        domain logons = yes
>>>> >>        encrypt passwords = yes
>>>> >>        pam password change = yes
>>>> >>        passdb backend = ldapsam:"ldap://127.0.0.1
>>>> >> ldap://alem-ldap.jusbaires.gov.ar
>>>> >> ldap://alem-systemlog.jusbaires.gov.ar"
>>>> >>        passwd chat debug = no
>>>> >>        check password script = /usr/local/bin/crackcheck -d
>>>> >> /var/cache/cracklib/cracklib_dict
>>>> >>        unix charset = 850
>>>> >>        dont descend = .recycle
>>>> >>        delete veto files = yes
>>>> >>        restrict anonymous = 1
>>>> >>
>>>> >> #Profiles stuff
>>>> >>        logon script = netlogon.%U.bat
>>>> >>        logon path = \\PDC\profiles\%U
>>>> >>        logon home = \\PDC\personal
>>>> >>        logon drive = H:
>>>> >>        hide files = /Desktop.ini/desktop.ini/
>>>> >>        hide dot files = yes
>>>> >
>>>>
>>>> -- 
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/listinfo/samba
>>>>
>>>
>>>
>>
>
>



More information about the samba mailing list