Hi everyone, A quick question: Is check password script option working for ad dc setup? I believe, ad on it's own cannot provide password protection against dictionaries.
Hmm, looks like it's not. I've just set the password for something that cracklib-check would argue using both ad management tools and at windows login. Should it work that way or I'm missing something? My dc's smb.conf: [global] workgroup = KURSK realm = KURSK.MTT netbios name = DEBIAN-DC server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate idmap_ldb:use rfc2307 = yes check password script = /usr/sbin/cracklib-check log level = 4 [netlogon] path = /usr/local/samba/var/locks/sysvol/kursk.mtt/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No logs log.samba for passwd change: [2015/05/27 10:09:07.604309, 3] ../source4/rpc_server/drsuapi/dcesrv_drsuapi.c:74(dcesrv_drsuapi_DsBind) ../source4/rpc_server/drsuapi/dcesrv_drsuapi.c:74: doing DsBind with system_session [2015/05/27 10:09:07.617789, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: TGS-REQ Administrator at KURSK.MTT from ipv4:192.168.1.204:50304 for kadmin/changepw at KURSK.MTT [canonicalize, renewable, forwardable] [2015/05/27 10:09:07.631380, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: TGS-REQ authtime: 2015-05-27T10:03:06 starttime: 2015-05-27T10:09:07 endtime: 2015-05-27T20:03:06 renew till: 2015-06-03T10:03:06 [2015/05/27 10:09:07.633241, 3] ../source4/smbd/service_stream.c:66(stream_terminate_connection) Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' [2015/05/27 10:09:07.633707, 3] ../source4/smbd/process_single.c:114(single_terminate) single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED] [2015/05/27 10:09:07.642900, 3] ../auth/kerberos/kerberos_pac.c:386(kerberos_decode_pac) Found account name from PAC: Administrator [] [2015/05/27 10:09:07.660999, 3] ../source4/kdc/kpasswdd.c:375(kpasswd_process_request) KURSK\Administrator (S-1-5-21-1939327600-330022255-2124521309-500) is changing password of xviewsion at kursk.mtt [2015/05/27 10:09:07.841347, 3] ../source4/smbd/service_stream.c:66(stream_terminate_connection) 2015-05-27 6:24 GMT+03:00 Krutskikh Ivan <stein.hak at gmail.com>:> Hi everyone, > > > A quick question: Is check password script option working for ad dc setup? > I believe, ad on it's own cannot provide password protection against > dictionaries. >
I would like to bump my question 2015-05-27 10:21 GMT+03:00 Krutskikh Ivan <stein.hak at gmail.com>:> Hmm, looks like it's not. I've just set the password for something that > cracklib-check would argue using both ad management tools and at windows > login. Should it work that way or I'm missing something? > > My dc's smb.conf: > > [global] > workgroup = KURSK > realm = KURSK.MTT > netbios name = DEBIAN-DC > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, > winbindd, ntp_signd, kcc, dnsupdate > idmap_ldb:use rfc2307 = yes > check password script = /usr/sbin/cracklib-check > log level = 4 > > [netlogon] > path = /usr/local/samba/var/locks/sysvol/kursk.mtt/scripts > read only = No > > [sysvol] > path = /usr/local/samba/var/locks/sysvol > read only = No > > > > logs log.samba for passwd change: > > [2015/05/27 10:09:07.604309, 3] > ../source4/rpc_server/drsuapi/dcesrv_drsuapi.c:74(dcesrv_drsuapi_DsBind) > ../source4/rpc_server/drsuapi/dcesrv_drsuapi.c:74: doing DsBind with > system_session > [2015/05/27 10:09:07.617789, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: TGS-REQ Administrator at KURSK.MTT from ipv4:192.168.1.204:50304 > for kadmin/changepw at KURSK.MTT [canonicalize, renewable, forwardable] > [2015/05/27 10:09:07.631380, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: TGS-REQ authtime: 2015-05-27T10:03:06 starttime: > 2015-05-27T10:09:07 endtime: 2015-05-27T20:03:06 renew till: > 2015-06-03T10:03:06 > [2015/05/27 10:09:07.633241, 3] > ../source4/smbd/service_stream.c:66(stream_terminate_connection) > Terminating connection - 'kdc_tcp_call_loop: > tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' > [2015/05/27 10:09:07.633707, 3] > ../source4/smbd/process_single.c:114(single_terminate) > single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() > - NT_STATUS_CONNECTION_DISCONNECTED] > [2015/05/27 10:09:07.642900, 3] > ../auth/kerberos/kerberos_pac.c:386(kerberos_decode_pac) > Found account name from PAC: Administrator [] > [2015/05/27 10:09:07.660999, 3] > ../source4/kdc/kpasswdd.c:375(kpasswd_process_request) > KURSK\Administrator (S-1-5-21-1939327600-330022255-2124521309-500) is > changing password of xviewsion at kursk.mtt > [2015/05/27 10:09:07.841347, 3] > ../source4/smbd/service_stream.c:66(stream_terminate_connection) > > > 2015-05-27 6:24 GMT+03:00 Krutskikh Ivan <stein.hak at gmail.com>: > >> Hi everyone, >> >> >> A quick question: Is check password script option working for ad dc >> setup? I believe, ad on it's own cannot provide password protection against >> dictionaries. >> > >