[Samba] samba password complexity help?
Morgan Toal
mtoal at burlingtoniowa.org
Thu Dec 17 13:38:34 MST 2009
Hi there,
Here are the facts:
- I have samba 3.4.2-0.42.fc11 running on a Fedora 11 system.
- Samba is acting as a domain controller, no Windows server involved.
- I am using tdbsam.
- I need to enforce certain password requirements.
The password requirements are:
- min 8 characters
- expiration 90 days
- last 10 passwords may not be reused
- not a dictionary word
Per the Samba 3.2 FAQ, the first three requirements are easily
accomplished via pdbedit:
# pdbedit -P "min password length" -C 8
# pdbedit -P "password history" -C 10
# pdbedit -P "maximum password age" -C 90
These items appear to work with no difficulty. However this does not
address the dictionary/complexity requirement.
I have seen the following suggestion elsewhere on the samba list:
check password script = /usr/local/sbin/crackcheck -d
/var/cache/cracklib/cracklib_dict
I am not able to use this suggestion directly. No file "crackcheck" is
present on my system. There is a /usr/sbin/cracklib-check but it seems
to work on a file or stream, like grep or something, as opposed to
returning a value as a function. And it does not seem to accept a "-d"
switch. There seems to be no man page for cracklib-check. I have a
dictionary in /usr/share/cracklib
Here is what cracklib-check does...
# cracklib-check
test
test: it is too short
booger
booger: it is based on a dictionary word
bfg9000
bfg9000: OK
^C
# cracklib-check booger <-- attempting to check password "booger"
^C <-- sits there for input, ctrl-c to get out
It does not seem to be a program that "returns" something, so I don't
think it can return an error code to Samba if I use a crappy password.
But I try this anyway, but it does not seem to accomplish anything. I
see nothing in /var/log/messages or in /var/log/samba/log.smbd
check password script = /usr/sbin/cracklib-check /usr/share/cracklib/pw_dict
Well, it doesn't seem to work when I change my password from a windows
client. Does anyone have any suggestions? Thanks.
So what it boils down to is:
0) what am I missing here?
1) where can I get an example crackcheck script file?
2) I have seen other suggestions to use pam. This might supersede some
of the tdbsam policy requirements. Is this a better method?
--
Morgan Toal, CFCE, RHCE, CEH
Network Manager
City of Burlington, Iowa
319-759-8882
More information about the samba
mailing list