Hi people! I have a few problems with the password strength in Samba.
I have a PDC with LDAP on Debian Stable, with a few packages from backports.
The problem is that I can't find a way to enforce strenght to the
passwords of the users. I can't define a policy to force things like:
number of uppercase letters, number of downcase letters, number of
numbers in the password, to check the diference between the new and the
old, to store a list of old passwords to check... I mean, things that
are requiered to enforce some policy of security by my company.
Bottom line? The users can put his username for password! Not even that
is checked...
It's something wrong in my setup or is a feature request? I see min
password length.. but.. the rest?
This is the important part of my setup:
[global]
#Network ID
workgroup = JUSBAIRES
netbios name = PDC
netbios aliases = SERVER
server string
#Logs
debug level = 0
syslog = 0
log level = 0
log file = /var/log/samba/%m.%U.log
max log size = 10000
panic action = /usr/share/samba/panic-action %d
#Network Support
name resolve order = wins hosts lmhosts bcast
socket options = TCP_NODELAY SO_RCVBUF=65535 SO_SNDBUF=65535
IPTOS_LOWDELAY SO_KEEPALIVE
wins support = yes
wins proxy = yes
enhanced browsing = yes
dns proxy = yes
time server = yes
local master = yes
smb ports = 139
#LDAP
ldap admin dn = uid=alem-fs2,ou=security,dc=jusbaires,dc=gov,dc=ar
ldap suffix = dc=jusbaires,dc=gov,dc=ar
ldap group suffix = ou=Group
ldap user suffix = ou=People
ldap machine suffix = ou=alem,ou=Computers
ldap delete dn = no
ldap passwd sync = yes
#Printer Options
printcap name = /dev/null
printing = bsd
load printers = no
#Security Options
admin users = administrador lgiacchetta
enable privileges = yes
preferred master = yes
lm announce = yes
domain master = yes
domain logons = yes
encrypt passwords = yes
pam password change = yes
passdb backend = ldapsam:"ldap://127.0.0.1
ldap://alem-ldap.jusbaires.gov.ar ldap://alem-systemlog.jusbaires.gov.ar"
passwd chat debug = no
check password script = /usr/local/bin/crackcheck -d
/var/cache/cracklib/cracklib_dict
unix charset = 850
dont descend = .recycle
delete veto files = yes
restrict anonymous = 1
#Profiles stuff
logon script = netlogon.%U.bat
logon path = \\PDC\profiles\%U
logon home = \\PDC\personal
logon drive = H:
hide files = /Desktop.ini/desktop.ini/
hide dot files = yes
I think you'll find at least some of these are Windows Policies and would not be reflected in the smb.conf file. If you check the Samba Howto collection and the Samba by example documents at samba.org, you'll find examples of how to set some of the policies. To be honest, I've never gone beyond requiring password changes, minimum lengths and histories. :) Guido Lorenzutti wrote:> Hi people! I have a few problems with the password strength in Samba. > I have a PDC with LDAP on Debian Stable, with a few packages from > backports. > The problem is that I can't find a way to enforce strenght to the > passwords of the users. I can't define a policy to force things like: > number of uppercase letters, number of downcase letters, number of > numbers in the password, to check the diference between the new and > the old, to store a list of old passwords to check... I mean, things > that are requiered to enforce some policy of security by my company. > Bottom line? The users can put his username for password! Not even > that is checked... > > It's something wrong in my setup or is a feature request? I see min > password length.. but.. the rest? > > > This is the important part of my setup: > > [global] > #Network ID > workgroup = JUSBAIRES > netbios name = PDC > netbios aliases = SERVER > server string > > #Logs > debug level = 0 > syslog = 0 > log level = 0 > log file = /var/log/samba/%m.%U.log > max log size = 10000 > panic action = /usr/share/samba/panic-action %d > > #Network Support > name resolve order = wins hosts lmhosts bcast > socket options = TCP_NODELAY SO_RCVBUF=65535 SO_SNDBUF=65535 > IPTOS_LOWDELAY SO_KEEPALIVE > wins support = yes > wins proxy = yes > enhanced browsing = yes > dns proxy = yes > time server = yes > local master = yes > smb ports = 139 > > #LDAP > ldap admin dn = uid=alem-fs2,ou=security,dc=jusbaires,dc=gov,dc=ar > ldap suffix = dc=jusbaires,dc=gov,dc=ar > ldap group suffix = ou=Group > ldap user suffix = ou=People > ldap machine suffix = ou=alem,ou=Computers > ldap delete dn = no > ldap passwd sync = yes > > #Printer Options > printcap name = /dev/null > printing = bsd > load printers = no > > #Security Options > admin users = administrador lgiacchetta > enable privileges = yes > preferred master = yes > lm announce = yes > domain master = yes > domain logons = yes > encrypt passwords = yes > pam password change = yes > passdb backend = ldapsam:"ldap://127.0.0.1 > ldap://alem-ldap.jusbaires.gov.ar ldap://alem-systemlog.jusbaires.gov.ar" > passwd chat debug = no > check password script = /usr/local/bin/crackcheck -d > /var/cache/cracklib/cracklib_dict > unix charset = 850 > dont descend = .recycle > delete veto files = yes > restrict anonymous = 1 > > #Profiles stuff > logon script = netlogon.%U.bat > logon path = \\PDC\profiles\%U > logon home = \\PDC\personal > logon drive = H: > hide files = /Desktop.ini/desktop.ini/ > hide dot files = yes
Please read the documentation. Samba3-HOWTO.pdf is a good start. You can obtain it from: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf The utility you need to master is called 'pdbedit', but before using it please read up on user rights and privileges and on policies. - John T. On Tuesday 26 December 2006 11:36, Guido Lorenzutti wrote:> Hi people! I have a few problems with the password strength in Samba. > I have a PDC with LDAP on Debian Stable, with a few packages from > backports. The problem is that I can't find a way to enforce strenght to > the > passwords of the users. I can't define a policy to force things like: > number of uppercase letters, number of downcase letters, number of > numbers in the password, to check the diference between the new and the > old, to store a list of old passwords to check... I mean, things that > are requiered to enforce some policy of security by my company. > Bottom line? The users can put his username for password! Not even that > is checked... > > It's something wrong in my setup or is a feature request? I see min > password length.. but.. the rest? > > > This is the important part of my setup: > > [global] > #Network ID > workgroup = JUSBAIRES > netbios name = PDC > netbios aliases = SERVER > server string > > #Logs > debug level = 0 > syslog = 0 > log level = 0 > log file = /var/log/samba/%m.%U.log > max log size = 10000 > panic action = /usr/share/samba/panic-action %d > > #Network Support > name resolve order = wins hosts lmhosts bcast > socket options = TCP_NODELAY SO_RCVBUF=65535 SO_SNDBUF=65535 > IPTOS_LOWDELAY SO_KEEPALIVE > wins support = yes > wins proxy = yes > enhanced browsing = yes > dns proxy = yes > time server = yes > local master = yes > smb ports = 139 > > #LDAP > ldap admin dn = uid=alem-fs2,ou=security,dc=jusbaires,dc=gov,dc=ar > ldap suffix = dc=jusbaires,dc=gov,dc=ar > ldap group suffix = ou=Group > ldap user suffix = ou=People > ldap machine suffix = ou=alem,ou=Computers > ldap delete dn = no > ldap passwd sync = yes > > #Printer Options > printcap name = /dev/null > printing = bsd > load printers = no > > #Security Options > admin users = administrador lgiacchetta > enable privileges = yes > preferred master = yes > lm announce = yes > domain master = yes > domain logons = yes > encrypt passwords = yes > pam password change = yes > passdb backend = ldapsam:"ldap://127.0.0.1 > ldap://alem-ldap.jusbaires.gov.ar ldap://alem-systemlog.jusbaires.gov.ar" > passwd chat debug = no > check password script = /usr/local/bin/crackcheck -d > /var/cache/cracklib/cracklib_dict > unix charset = 850 > dont descend = .recycle > delete veto files = yes > restrict anonymous = 1 > > #Profiles stuff > logon script = netlogon.%U.bat > logon path = \\PDC\profiles\%U > logon home = \\PDC\personal > logon drive = H: > hide files = /Desktop.ini/desktop.ini/ > hide dot files = yes