[Samba] questions about password complexity checking.

Andrew Bartlett abartlet at samba.org
Sat Feb 18 02:37:21 MST 2012


On Tue, 2012-02-14 at 10:48 -0600, Morgan Toal wrote:
> Hi Samba folks,
> 
> I had a couple questions about password complexity checking.
> 
> To preface, in smb.conf, we set:
> 
> check password script = /usr/local/sbin/crackcheck -d 
> /usr/share/cracklib/pw_dict
> 
> Also, if I understand correctly:
> 
> /usr/local/sbin/crackcheck comes from samba source rpm package.
> maybe we need to compile it ourselves.
> 
> /usr/share/cracklib/pw_dict* comes from cracklib-dicts rpm package
> 
> Here are my questions:
> 
> 1) may we also specify -c along with -d in check password script 
> paramater to enable "NT like complexity checks"?

If you want, you can. 

> 2) what precisely are "NT like complexity checks"?

At least 3 of: upper, lower, digit, punctuation.

> 3) there is no file /usr/share/cracklib/pw_dict however there in 
> /usr/share/cracklib there is: pw_dict.hwm, pw_dict.pwd, and pw_dict.pwi
> I am thinking pw_dict.pwd is the actual dictionary. It's in some sort of 
> binary format. Why do we not specify the file extension in the smb.conf 
> paramater?

Because the underlying FascistCheck() function only wants the prefix,
without the extension. 

> 4) How may we list/modify contents of pw_dict.pwd?

I don't think you can.  But you can instead change crackcheck to also
check your personal dictionary of banned passwords.

Andrew Bartlett
-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org



More information about the samba mailing list