Hi Samba folks, I had a couple questions about password complexity checking. To preface, in smb.conf, we set: check password script = /usr/local/sbin/crackcheck -d /usr/share/cracklib/pw_dict Also, if I understand correctly: /usr/local/sbin/crackcheck comes from samba source rpm package. maybe we need to compile it ourselves. /usr/share/cracklib/pw_dict* comes from cracklib-dicts rpm package Here are my questions: 1) may we also specify -c along with -d in check password script paramater to enable "NT like complexity checks"? 2) what precisely are "NT like complexity checks"? 3) there is no file /usr/share/cracklib/pw_dict however there in /usr/share/cracklib there is: pw_dict.hwm, pw_dict.pwd, and pw_dict.pwi I am thinking pw_dict.pwd is the actual dictionary. It's in some sort of binary format. Why do we not specify the file extension in the smb.conf paramater? 4) How may we list/modify contents of pw_dict.pwd? thanks for your time! mtoal -- Morgan Toal, RHCE, CFCE, CEH, MCP Network Manager City of Burlington, Iowa 319-759-8882
Andrew Bartlett
2012-Feb-18 09:37 UTC
[Samba] questions about password complexity checking.
On Tue, 2012-02-14 at 10:48 -0600, Morgan Toal wrote:> Hi Samba folks, > > I had a couple questions about password complexity checking. > > To preface, in smb.conf, we set: > > check password script = /usr/local/sbin/crackcheck -d > /usr/share/cracklib/pw_dict > > Also, if I understand correctly: > > /usr/local/sbin/crackcheck comes from samba source rpm package. > maybe we need to compile it ourselves. > > /usr/share/cracklib/pw_dict* comes from cracklib-dicts rpm package > > Here are my questions: > > 1) may we also specify -c along with -d in check password script > paramater to enable "NT like complexity checks"?If you want, you can.> 2) what precisely are "NT like complexity checks"?At least 3 of: upper, lower, digit, punctuation.> 3) there is no file /usr/share/cracklib/pw_dict however there in > /usr/share/cracklib there is: pw_dict.hwm, pw_dict.pwd, and pw_dict.pwi > I am thinking pw_dict.pwd is the actual dictionary. It's in some sort of > binary format. Why do we not specify the file extension in the smb.conf > paramater?Because the underlying FascistCheck() function only wants the prefix, without the extension.> 4) How may we list/modify contents of pw_dict.pwd?I don't think you can. But you can instead change crackcheck to also check your personal dictionary of banned passwords. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org
Seemingly Similar Threads
- samba password complexity help?
- How to check the password complexity in samba
- enforcing password compexity (check password script, cracklib)
- "nis homedir" issue on samba- 3.6.9-151.el6 (CentOS 6.4 64bit)
- Samba, ldap, password complexity, cracklib - questions