[Samba] check password script for samba 4 ad dc
Krutskikh Ivan
stein.hak at gmail.com
Wed May 27 11:26:23 MDT 2015
I would like to bump my question
2015-05-27 10:21 GMT+03:00 Krutskikh Ivan <stein.hak at gmail.com>:
> Hmm, looks like it's not. I've just set the password for something that
> cracklib-check would argue using both ad management tools and at windows
> login. Should it work that way or I'm missing something?
>
> My dc's smb.conf:
>
> [global]
> workgroup = KURSK
> realm = KURSK.MTT
> netbios name = DEBIAN-DC
> server role = active directory domain controller
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbindd, ntp_signd, kcc, dnsupdate
> idmap_ldb:use rfc2307 = yes
> check password script = /usr/sbin/cracklib-check
> log level = 4
>
> [netlogon]
> path = /usr/local/samba/var/locks/sysvol/kursk.mtt/scripts
> read only = No
>
> [sysvol]
> path = /usr/local/samba/var/locks/sysvol
> read only = No
>
>
>
> logs log.samba for passwd change:
>
> [2015/05/27 10:09:07.604309, 3]
> ../source4/rpc_server/drsuapi/dcesrv_drsuapi.c:74(dcesrv_drsuapi_DsBind)
> ../source4/rpc_server/drsuapi/dcesrv_drsuapi.c:74: doing DsBind with
> system_session
> [2015/05/27 10:09:07.617789, 3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: TGS-REQ Administrator at KURSK.MTT from ipv4:192.168.1.204:50304
> for kadmin/changepw at KURSK.MTT [canonicalize, renewable, forwardable]
> [2015/05/27 10:09:07.631380, 3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: TGS-REQ authtime: 2015-05-27T10:03:06 starttime:
> 2015-05-27T10:09:07 endtime: 2015-05-27T20:03:06 renew till:
> 2015-06-03T10:03:06
> [2015/05/27 10:09:07.633241, 3]
> ../source4/smbd/service_stream.c:66(stream_terminate_connection)
> Terminating connection - 'kdc_tcp_call_loop:
> tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
> [2015/05/27 10:09:07.633707, 3]
> ../source4/smbd/process_single.c:114(single_terminate)
> single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv()
> - NT_STATUS_CONNECTION_DISCONNECTED]
> [2015/05/27 10:09:07.642900, 3]
> ../auth/kerberos/kerberos_pac.c:386(kerberos_decode_pac)
> Found account name from PAC: Administrator []
> [2015/05/27 10:09:07.660999, 3]
> ../source4/kdc/kpasswdd.c:375(kpasswd_process_request)
> KURSK\Administrator (S-1-5-21-1939327600-330022255-2124521309-500) is
> changing password of xviewsion at kursk.mtt
> [2015/05/27 10:09:07.841347, 3]
> ../source4/smbd/service_stream.c:66(stream_terminate_connection)
>
>
> 2015-05-27 6:24 GMT+03:00 Krutskikh Ivan <stein.hak at gmail.com>:
>
>> Hi everyone,
>>
>>
>> A quick question: Is check password script option working for ad dc
>> setup? I believe, ad on it's own cannot provide password protection against
>> dictionaries.
>>
>
>
More information about the samba
mailing list