samba - May 2015 - check password script for samba 4 ad dc

Hi everyone,


A quick question: Is check password script option working for ad dc setup?
I believe, ad on it's own cannot provide password protection against
dictionaries.

Hmm, looks like it's not. I've just set the password for something that
cracklib-check would argue using both ad management tools and at windows
login. Should it work that way or I'm missing something?

 My dc's smb.conf:

[global]
        workgroup = KURSK
        realm = KURSK.MTT
        netbios name = DEBIAN-DC
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
        idmap_ldb:use rfc2307 = yes
        check password script = /usr/sbin/cracklib-check
        log level = 4

[netlogon]
        path = /usr/local/samba/var/locks/sysvol/kursk.mtt/scripts
        read only = No

[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No



logs log.samba for passwd change:

[2015/05/27 10:09:07.604309,  3]
../source4/rpc_server/drsuapi/dcesrv_drsuapi.c:74(dcesrv_drsuapi_DsBind)
  ../source4/rpc_server/drsuapi/dcesrv_drsuapi.c:74: doing DsBind with
system_session
[2015/05/27 10:09:07.617789,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: TGS-REQ Administrator at KURSK.MTT from ipv4:192.168.1.204:50304
for kadmin/changepw at KURSK.MTT [canonicalize, renewable, forwardable]
[2015/05/27 10:09:07.631380,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: TGS-REQ authtime: 2015-05-27T10:03:06 starttime:
2015-05-27T10:09:07 endtime: 2015-05-27T20:03:06 renew till:
2015-06-03T10:03:06
[2015/05/27 10:09:07.633241,  3]
../source4/smbd/service_stream.c:66(stream_terminate_connection)
  Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv()
- NT_STATUS_CONNECTION_DISCONNECTED'
[2015/05/27 10:09:07.633707,  3]
../source4/smbd/process_single.c:114(single_terminate)
  single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv()
- NT_STATUS_CONNECTION_DISCONNECTED]
[2015/05/27 10:09:07.642900,  3]
../auth/kerberos/kerberos_pac.c:386(kerberos_decode_pac)
  Found account name from PAC: Administrator []
[2015/05/27 10:09:07.660999,  3]
../source4/kdc/kpasswdd.c:375(kpasswd_process_request)
  KURSK\Administrator (S-1-5-21-1939327600-330022255-2124521309-500) is
changing password of xviewsion at kursk.mtt
[2015/05/27 10:09:07.841347,  3]
../source4/smbd/service_stream.c:66(stream_terminate_connection)


2015-05-27 6:24 GMT+03:00 Krutskikh Ivan <stein.hak at gmail.com>:
> Hi everyone,
>
>
> A quick question: Is check password script option working for ad dc setup?
> I believe, ad on it's own cannot provide password protection against
> dictionaries.
>

I would like to bump my question

2015-05-27 10:21 GMT+03:00 Krutskikh Ivan <stein.hak at gmail.com>:
> Hmm, looks like it's not. I've just set the password for something
that
> cracklib-check would argue using both ad management tools and at windows
> login. Should it work that way or I'm missing something?
>
>  My dc's smb.conf:
>
> [global]
>         workgroup = KURSK
>         realm = KURSK.MTT
>         netbios name = DEBIAN-DC
>         server role = active directory domain controller
>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbindd, ntp_signd, kcc, dnsupdate
>         idmap_ldb:use rfc2307 = yes
>         check password script = /usr/sbin/cracklib-check
>         log level = 4
>
> [netlogon]
>         path = /usr/local/samba/var/locks/sysvol/kursk.mtt/scripts
>         read only = No
>
> [sysvol]
>         path = /usr/local/samba/var/locks/sysvol
>         read only = No
>
>
>
> logs log.samba for passwd change:
>
> [2015/05/27 10:09:07.604309,  3]
> ../source4/rpc_server/drsuapi/dcesrv_drsuapi.c:74(dcesrv_drsuapi_DsBind)
>   ../source4/rpc_server/drsuapi/dcesrv_drsuapi.c:74: doing DsBind with
> system_session
> [2015/05/27 10:09:07.617789,  3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>   Kerberos: TGS-REQ Administrator at KURSK.MTT from
ipv4:192.168.1.204:50304
> for kadmin/changepw at KURSK.MTT [canonicalize, renewable, forwardable]
> [2015/05/27 10:09:07.631380,  3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>   Kerberos: TGS-REQ authtime: 2015-05-27T10:03:06 starttime:
> 2015-05-27T10:09:07 endtime: 2015-05-27T20:03:06 renew till:
> 2015-06-03T10:03:06
> [2015/05/27 10:09:07.633241,  3]
> ../source4/smbd/service_stream.c:66(stream_terminate_connection)
>   Terminating connection - 'kdc_tcp_call_loop:
> tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
> [2015/05/27 10:09:07.633707,  3]
> ../source4/smbd/process_single.c:114(single_terminate)
>   single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv()
> - NT_STATUS_CONNECTION_DISCONNECTED]
> [2015/05/27 10:09:07.642900,  3]
> ../auth/kerberos/kerberos_pac.c:386(kerberos_decode_pac)
>   Found account name from PAC: Administrator []
> [2015/05/27 10:09:07.660999,  3]
> ../source4/kdc/kpasswdd.c:375(kpasswd_process_request)
>   KURSK\Administrator (S-1-5-21-1939327600-330022255-2124521309-500) is
> changing password of xviewsion at kursk.mtt
> [2015/05/27 10:09:07.841347,  3]
> ../source4/smbd/service_stream.c:66(stream_terminate_connection)
>
>
> 2015-05-27 6:24 GMT+03:00 Krutskikh Ivan <stein.hak at gmail.com>:
>
>> Hi everyone,
>>
>>
>> A quick question: Is check password script option working for ad dc
>> setup? I believe, ad on it's own cannot provide password protection
against
>> dictionaries.
>>
>
>