[Samba] samba password complexity help?

Morgan Toal mtoal at burlingtoniowa.org
Mon Dec 21 07:50:19 MST 2009 

Hi there,

I'll repost this, as I'm kind of needing to get some resolution on this 
issue. If anyone has some documentation they could point me to I'd 
appreciate it, or perhaps a sample check password script suitable for 
Fedora 11.

Thanks!!!

mtoal

-------- Original Message --------
Subject: [Samba] samba password complexity help?
Date: Thu, 17 Dec 2009 14:38:34 -0600
From: Morgan Toal <mtoal at burlingtoniowa.org>
To: samba at lists.samba.org

Hi there,

Here are the facts:
- I have samba 3.4.2-0.42.fc11 running on a Fedora 11 system.
- Samba is acting as a domain controller, no Windows server involved.
- I am using tdbsam.
- I need to enforce certain password requirements.

The password requirements are:
- min 8 characters
- expiration 90 days
- last 10 passwords may not be reused
- not a dictionary word

Per the Samba 3.2 FAQ, the first three requirements are easily
accomplished via pdbedit:
# pdbedit -P "min password length" -C 8
# pdbedit -P "password history" -C 10
# pdbedit -P "maximum password age" -C 90

These items appear to work with no difficulty. However this does not
address the dictionary/complexity requirement.

I have seen the following suggestion elsewhere on the samba list:

check password script = /usr/local/sbin/crackcheck -d
/var/cache/cracklib/cracklib_dict

I am not able to use this suggestion directly. No file "crackcheck" is
present on my system. There is a /usr/sbin/cracklib-check but it seems
to work on a file or stream, like grep or something, as opposed to
returning a value as a function. And it does not seem to accept a "-d"
switch. There seems to be no man page for cracklib-check. I have a
dictionary in /usr/share/cracklib

Here is what cracklib-check does...

# cracklib-check
test
test: it is too short
booger
booger: it is based on a dictionary word
bfg9000
bfg9000: OK
^C
# cracklib-check booger   <-- attempting to check password "booger"
^C                        <-- sits there for input, ctrl-c to get out

It does not seem to be a program that "returns" something, so I don't
think it can return an error code to Samba if I use a crappy password.
But I try this anyway, but it does not seem to accomplish anything. I
see nothing in /var/log/messages or in /var/log/samba/log.smbd

check password script = /usr/sbin/cracklib-check /usr/share/cracklib/pw_dict

Well, it doesn't seem to work when I change my password from a windows
client. Does anyone have any suggestions? Thanks.

So what it boils down to is:

0) what am I missing here?

1) where can I get an example crackcheck script file?

2) I have seen other suggestions to use pam. This might supersede some
of the tdbsam policy requirements. Is this a better method?



-- 
Morgan Toal, CFCE, RHCE, CEH
Network Manager
City of Burlington, Iowa
319-759-8882
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list