[Samba] samba password complexity help?

Morgan Toal mtoal at burlingtoniowa.org
Thu Dec 17 13:38:34 MST 2009 

Hi there,

Here are the facts:
- I have samba 3.4.2-0.42.fc11 running on a Fedora 11 system.
- Samba is acting as a domain controller, no Windows server involved.
- I am using tdbsam.
- I need to enforce certain password requirements.

The password requirements are:
- min 8 characters
- expiration 90 days
- last 10 passwords may not be reused
- not a dictionary word

Per the Samba 3.2 FAQ, the first three requirements are easily 
accomplished via pdbedit:
# pdbedit -P "min password length" -C 8
# pdbedit -P "password history" -C 10
# pdbedit -P "maximum password age" -C 90

These items appear to work with no difficulty. However this does not 
address the dictionary/complexity requirement.

I have seen the following suggestion elsewhere on the samba list:

check password script = /usr/local/sbin/crackcheck -d 
/var/cache/cracklib/cracklib_dict

I am not able to use this suggestion directly. No file "crackcheck" is 
present on my system. There is a /usr/sbin/cracklib-check but it seems 
to work on a file or stream, like grep or something, as opposed to 
returning a value as a function. And it does not seem to accept a "-d" 
switch. There seems to be no man page for cracklib-check. I have a 
dictionary in /usr/share/cracklib

Here is what cracklib-check does...

# cracklib-check
test
test: it is too short
booger
booger: it is based on a dictionary word
bfg9000
bfg9000: OK
^C
# cracklib-check booger   <-- attempting to check password "booger"
^C                        <-- sits there for input, ctrl-c to get out

It does not seem to be a program that "returns" something, so I don't 
think it can return an error code to Samba if I use a crappy password. 
But I try this anyway, but it does not seem to accomplish anything. I 
see nothing in /var/log/messages or in /var/log/samba/log.smbd

check password script = /usr/sbin/cracklib-check /usr/share/cracklib/pw_dict

Well, it doesn't seem to work when I change my password from a windows 
client. Does anyone have any suggestions? Thanks.

So what it boils down to is:

0) what am I missing here?

1) where can I get an example crackcheck script file?

2) I have seen other suggestions to use pam. This might supersede some 
of the tdbsam policy requirements. Is this a better method?



-- 
Morgan Toal, CFCE, RHCE, CEH
Network Manager
City of Burlington, Iowa
319-759-8882

More information about the samba mailing list