Before I begin, big thanks to John Terpstra for helping me out with my previous issues. But alas I have another issue, I need to enforce strong passwords on windows side (i.e. ctrl+alt+delete change password), minimum password length, can't be dictionary words, etc. etc. (Setup is Samba 3.0.0 as PDC with LDAP passdb)>From what I undersatnd previously this could've been done usingpam_smbpass or a policy pushed out from netlogon, but I'm dealing with a mixed environment of 2k/XP, and I read that nt4 policies don't work with XP. And it would appear that when using ldap password sync it bypasses pam(?). Also I've seen alot about Group Policy Editor, but it seems that's only useful if you're using AD. Is this perhaps the direction pdbedit is going towards? it would be quite nifty to have a single command to edit (or generate) domain policies. It seemed to work with altering the minimum password length, but it only goes so far. Any suggestions / advice / heckling if I'm being an idiot would be appreciated -- Cybr0t McWhulf
> Before I begin, big thanks to John Terpstra for helping me out with my > previous issues. > But alas I have another issue, I need to enforce strong passwords on > windows side (i.e. ctrl+alt+delete change password), minimum password > length, can't be dictionary words, etc. etc.You can specify minimum password length, but not much beyond that. There is a section of the Samba code that says "insert cracklib support here". I'd image that is what we all want to see happen.> (Setup is Samba 3.0.0 as PDC with LDAP passdb)Same here.> >From what I undersatnd previously this could've been done using > pam_smbpass or a policy pushed out from netlogon, but I'm dealing with a > mixed environment of 2k/XP, and I read that nt4 policies don't work with > XP. And it would appear that when using ldap password sync it bypasses > pam(?).Yes, it does.> Also I've seen alot about Group Policy Editor, but it seems that's only > useful if you're using AD. > Is this perhaps the direction pdbedit is going towards? it would be quite > nifty to have a single command to edit (or generate) domain policies. It > seemed to work with altering the minimum password length, but it only goes so > far.I think cracklib support in Samba is what we want.
I currently use unix passwd sync = yes to accomplish this in 2.2.8. The option still appears to be available in 3.0.0. You can specify a custom script with passwd program and passwd chat in smb.conf which will check the password's strength. This program must return successful before samba will change the samba password, effectively checking password strength. On Thu, 2003-10-02 at 16:25, Cybr0t McWhulf wrote:> But alas I have another issue, I need to enforce strong passwords on > windows side (i.e. ctrl+alt+delete change password), minimum password > length, can't be dictionary words, etc. etc.