[Samba] check password script

Nick Sharp nick.sharp at valex.com.au
Tue Dec 9 05:17:48 GMT 2008

Hi all,


I'm quite new to all this, so please go easy on me if I don't quite seem to
say the right things. (any advice is good advice)


I have a 3.0.14a-debian samba install, with ldap auth using pam_unix (see
smb.conf below)


We want to implement a few password checks for complexity, so I have written
a pretty basic script (see below) which definitely exits 0 on a good
password and throws it at cracklib (after complexity checks) to check for
dictionary words.


pdc:~/scripts# ./cracklib.sh repasdateA!

pdc:~/scripts# echo $?


pdc:~/scripts# ./cracklib.sh r3pl1Cat3

ERR - it is based on a dictionary word

pdc:~/scripts# echo $?



When I add it into smb.conf, it doesn't work. All users get a message saying
it isn't matching the pdbedit policies (even though it is) no password
changes happen at all and I am a bit lost as to why. My googling only shows
that it should exit 0 on a good password, which we have proven correct and
that samba sends the password to the script as stdin. I /dev/null any script
output other than exits.


Can anyone guide me to the right place?


Cracklib.sh script;



if [ `echo $1 | egrep -e '[A-Z]' | egrep -e '[a-z]' | egrep -e '[0-9]' 2>
/dev/null` ]; then

                echo $1 | /sbin/crackcheck -d
/var/cache/cracklib/cracklib_dict 2>& 1> /dev/null

                exit $?


        if [[ `echo $1 | egrep -e '[@#$%^&+=:;!]' 2> /dev/null` && `echo $1
| egrep -e '[0-9]' 2> /dev/null`  ||  `echo $1 | egrep -e '[@#$%^&+=:;!]' 2>
/dev/null` && `echo $1 | egrep -e '[A-Z]' 2> /dev/null` ]]; then

                       echo $1 | /sbin/crackcheck -d
/var/cache/cracklib/cracklib_dict 2>& 1> /dev/null

                        exit $?


                echo "Your password does not follow our policy see

        exit 1;







   workgroup = valman

   server string = %L (Samba %v)

   wins support = yes

   dns proxy = no

   netbios name = fileserver

   logon script = logon.bat

   log file = /var/log/samba/log.%m

   max log size = 1000

   syslog = 0

   panic action = /usr/share/samba/panic-action %d

   encrypt passwords = true

   check password script = /root/scripts/cracklib.sh


   passdb backend = ldapsam:ldap://

   ldap suffix = <edited to protect the innocent>

   ldap machine suffix = <edited to protect the innocent>

   ldap user suffix = <edited to protect the innocent>

   ldap group suffix = <edited to protect the innocent>

   ldap admin dn = <edited to protect the innocent>

   ldap delete dn = no

   ldap password sync = yes


   domain master = yes

   domain logons = yes

   enable privileges = yes


   obey pam restrictions = yes


;   guest account = nobody

   invalid users = root


   unix password sync = yes


   passwd program = /usr/bin/vxpasswd %u %n

   passwd chat = *thanks:* %n\n *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n 


######## File sharing ########


   socket options = TCP_NODELAY



#======================= Share Definitions =======================



I do have another question, but its not important by comparison.

Does the Check Password Script option allow additional variables to be sent
ala passwd program options?


check password script = /root/scripts/cracklib.sh %u


mainly as I would like the script to do checks that users aren't using their
own name in passwords, but when I also tried that, the same problem remained
(not sure if it is because of the first issue or if its separate/not







Nick Sharp


e  <mailto:nick.sharp at valex.com.au> nick.sharp at valex.com.au


More information about the samba mailing list