[Samba] samba password complexity help?

Morgan Toal mtoal at burlingtoniowa.org
Mon Dec 21 11:24:27 MST 2009


Thank you John for your comment, which made me realize that crackcheck 
was something I needed to compile myself. I had though this was perhaps 
a version difference between older and newer versions of cracklib. In my 
case I was using prebuilt RPM's. Please see my notes below for my steps 
to resolution (cc: to samba list for posterity).

Also, thank you Jack for your suggestion. I was able to get passwd sync 
to work, but since the users never log into the samba box directly I 
wanted to keep this entirely "within samba" so to speak and not deal 
with setting up the pam restrictions on unix accounts.

thanks again...


On 12/21/2009 9:17 AM, john at hytronix.com wrote:

>> I'll repost this, as I'm kind of needing to get some resolution on this
>> issue. If anyone has some documentation they could point me to I'd
>> appreciate it, or perhaps a sample check password script suitable for
>> Fedora 11.
> Look in your samba source, under examples->auth->crackcheck, if you built
> from source - since you have the cracklib stuff already you have all you
> need.
> If you are using prebuilt RPMs, it's in one of them, but I don't recall
> which.
> -John

# create-cracklib-dict /usr/share/dict/words
we need to be sure we have created our password dictionary
it is created for us in /usr/share/cracklib/pw_dict.pwd
this is referred to in smb.conf when we set up password checking

I received a suggestion that crackcheck was to be compiled from samba 
source, exists in examples/auth/crackcheck

# yum install samba-doc
didn't have crackcheck in it.
look for the main samba source rpm.

# rpm -ivh samba-3.4.2-0.42.fc11.src.rpm
i got it from rpmseek.com
/examples/auth/crackcheck.c is present in this directory:
Now, what do I need to compile it?
we at least need to install gcc, maybe cracklib-dev

# yum install gcc
make didn't work yet, probably need cracklib-devel

# yum install cracklib-devel
make worked
crackcheck executable resides in:

copy this to somewhere more sensible:
cp crackcheck /usr/local/sbin

# /usr/local/sbin/crackcheck -d /usr/share/cracklib/pw_dict
(returns nothing implying the password was acceptable)

# /usr/local/sbin/crackcheck -d /usr/share/cracklib/pw_dict
ERR - it is based on a dictionary word
(returns an error indicating password is not acceptable)

# vi /etc/samba/smb.conf
check password script = /usr/local/sbin/crackcheck -d 

# service smb reload

try it now from a windows client that is on that domain.

things to check if all passwords are rejected even good ones...
...is pw_dict an empty or very small file? remake it.
...is crackcheck executable where you think it is?
...is the path to crackcheck executable valid? (I had a typo)
...is the path to the pw_dict valid?

Morgan Toal, CFCE, RHCE, CEH
Network Manager
City of Burlington, Iowa

More information about the samba mailing list