Charles McLaughlin
2005-Aug-15 20:03 UTC
[Samba] enforcing password compexity (check password script, cracklib)
Hello, I would like to enforce some level of password complexity when users change their password. I have a Samba PDC running on Debian set to sync Unix passwords. I'm trying to get Samba to work with cracklib, but it isn't going well. Here is what I've tried: Installed libpam-cracklib, compiled examples/auth/crackcheck and copied the binary to /usr/local/sbin. I added the following line to my smb.conf file: check password script = /usr/local/sbin/crackcheck Edited /etc/pam.d/common-password to look like this: password required pam_unix.so nullok obscure min=4 max=8 md5 password required pam_cracklib.so retry=3 minlen=6 difok=3 password required pam_unix.so use_authtok nullok md5 Restarted Samba and tried to change my password from a Windows box and smbpasswd. I get this error when using smbpasswd: machine 127.0.0.1 rejected the (anonymous) password change: Error was : Password restriction. Failed to change password for cmclaugh I picked a rather random and strong password, so I believe there is some misconfiguration. I would appreciate any advice. Thanks, Charles
Charles McLaughlin
2005-Nov-20 03:20 UTC
[Samba] Re: enforcing password complexity (check password script, cracklib)
I'm posting this for the sake of the archives. To get this to work I had to generate the cracklib dictionary by running update-cracklib or /etc/cron.daily/cracklib then specify the cracklib dictionary on the relevant line in smb.conf: check password script = /usr/local/sbin/crackcheck -d /var/cache/cracklib/cracklib_dict Charles Charles McLaughlin wrote:> Hello, > > I would like to enforce some level of password complexity when users > change their password. I have a Samba PDC running on Debian set to sync > Unix passwords. I'm trying to get Samba to work with cracklib, but it > isn't going well. > > Here is what I've tried: > > Installed libpam-cracklib, compiled examples/auth/crackcheck and copied > the binary to /usr/local/sbin. > > I added the following line to my smb.conf file: > > check password script = /usr/local/sbin/crackcheck > > Edited /etc/pam.d/common-password to look like this: > > password required pam_unix.so nullok obscure min=4 max=8 md5 > password required pam_cracklib.so retry=3 minlen=6 difok=3 > password required pam_unix.so use_authtok nullok md5 > > Restarted Samba and tried to change my password from a Windows box and > smbpasswd. I get this error when using smbpasswd: > > machine 127.0.0.1 rejected the (anonymous) password change: Error was : > Password restriction. > Failed to change password for cmclaugh > > I picked a rather random and strong password, so I believe there is some > misconfiguration. > > I would appreciate any advice. > > Thanks, > Charles >