[Samba] samba password complexity help?

Mon Dec 21 08:54:40 MST 2009

If you've got password synchronization working, you should be able to
depend on system complexity tests.  I think in RH, those settings are in
/etc/pam.d/system-auth  or /etc/pam.d/common-password.  I can't recall
for sure.  But try taking a look at that route. Might work, who knows...

Morgan Toal wrote:
> Hi there,
>
> I'll repost this, as I'm kind of needing to get some resolution on
> this issue. If anyone has some documentation they could point me to
> I'd appreciate it, or perhaps a sample check password script suitable
> for Fedora 11.
>
> Thanks!!!
>
> mtoal
>
> -------- Original Message --------
> Subject: [Samba] samba password complexity help?
> Date: Thu, 17 Dec 2009 14:38:34 -0600
> From: Morgan Toal <mtoal at burlingtoniowa.org>
> To: samba at lists.samba.org
>
> Hi there,
>
> Here are the facts:
> - I have samba 3.4.2-0.42.fc11 running on a Fedora 11 system.
> - Samba is acting as a domain controller, no Windows server involved.
> - I am using tdbsam.
> - I need to enforce certain password requirements.
>
> The password requirements are:
> - min 8 characters
> - expiration 90 days
> - last 10 passwords may not be reused
> - not a dictionary word
>
> Per the Samba 3.2 FAQ, the first three requirements are easily
> accomplished via pdbedit:
> # pdbedit -P "min password length" -C 8
> # pdbedit -P "password history" -C 10
> # pdbedit -P "maximum password age" -C 90
>
> These items appear to work with no difficulty. However this does not
> address the dictionary/complexity requirement.
>
> I have seen the following suggestion elsewhere on the samba list:
>
> check password script = /usr/local/sbin/crackcheck -d
> /var/cache/cracklib/cracklib_dict
>
> I am not able to use this suggestion directly. No file "crackcheck" is
> present on my system. There is a /usr/sbin/cracklib-check but it seems
> to work on a file or stream, like grep or something, as opposed to
> returning a value as a function. And it does not seem to accept a "-d"
> switch. There seems to be no man page for cracklib-check. I have a
> dictionary in /usr/share/cracklib
>
> Here is what cracklib-check does...
>
> # cracklib-check
> test
> test: it is too short
> booger
> booger: it is based on a dictionary word
> bfg9000
> bfg9000: OK
> ^C
> # cracklib-check booger   <-- attempting to check password "booger"
> ^C                        <-- sits there for input, ctrl-c to get out
>
> It does not seem to be a program that "returns" something, so I don't
> think it can return an error code to Samba if I use a crappy password.
> But I try this anyway, but it does not seem to accomplish anything. I
> see nothing in /var/log/messages or in /var/log/samba/log.smbd
>
> check password script = /usr/sbin/cracklib-check
> /usr/share/cracklib/pw_dict
>
> Well, it doesn't seem to work when I change my password from a windows
> client. Does anyone have any suggestions? Thanks.
>
> So what it boils down to is:
>
> 0) what am I missing here?
>
> 1) where can I get an example crackcheck script file?
>
> 2) I have seen other suggestions to use pam. This might supersede some
> of the tdbsam policy requirements. Is this a better method?
>
>
>