Hi all,
I'm quite new to all this, so please go easy on me if I don't quite seem
to
say the right things. (any advice is good advice)
I have a 3.0.14a-debian samba install, with ldap auth using pam_unix (see
smb.conf below)
We want to implement a few password checks for complexity, so I have written
a pretty basic script (see below) which definitely exits 0 on a good
password and throws it at cracklib (after complexity checks) to check for
dictionary words.
pdc:~/scripts# ./cracklib.sh repasdateA!
pdc:~/scripts# echo $?
0
pdc:~/scripts# ./cracklib.sh r3pl1Cat3
ERR - it is based on a dictionary word
pdc:~/scripts# echo $?
253
When I add it into smb.conf, it doesn't work. All users get a message saying
it isn't matching the pdbedit policies (even though it is) no password
changes happen at all and I am a bit lost as to why. My googling only shows
that it should exit 0 on a good password, which we have proven correct and
that samba sends the password to the script as stdin. I /dev/null any script
output other than exits.
Can anyone guide me to the right place?
Cracklib.sh script;
#!/bin/sh
if [ `echo $1 | egrep -e '[A-Z]' | egrep -e '[a-z]' | egrep -e
'[0-9]' 2>
/dev/null` ]; then
echo $1 | /sbin/crackcheck -d
/var/cache/cracklib/cracklib_dict 2>& 1> /dev/null
exit $?
else
if [[ `echo $1 | egrep -e '[@#$%^&+=:;!]' 2> /dev/null`
&& `echo $1
| egrep -e '[0-9]' 2> /dev/null` || `echo $1 | egrep -e
'[@#$%^&+=:;!]' 2>
/dev/null` && `echo $1 | egrep -e '[A-Z]' 2> /dev/null` ]];
then
echo $1 | /sbin/crackcheck -d
/var/cache/cracklib/cracklib_dict 2>& 1> /dev/null
exit $?
else
echo "Your password does not follow our policy see
http://pdc.adl.vm/pwchange/"
exit 1;
fi
fi
smb.conf:
[global]
workgroup = valman
server string = %L (Samba %v)
wins support = yes
dns proxy = no
netbios name = fileserver
logon script = logon.bat
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
encrypt passwords = true
check password script = /root/scripts/cracklib.sh
passdb backend = ldapsam:ldap://127.0.0.1
ldap suffix = <edited to protect the innocent>
ldap machine suffix = <edited to protect the innocent>
ldap user suffix = <edited to protect the innocent>
ldap group suffix = <edited to protect the innocent>
ldap admin dn = <edited to protect the innocent>
ldap delete dn = no
ldap password sync = yes
domain master = yes
domain logons = yes
enable privileges = yes
obey pam restrictions = yes
; guest account = nobody
invalid users = root
unix password sync = yes
passwd program = /usr/bin/vxpasswd %u %n
passwd chat = *thanks:* %n\n *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n
.
######## File sharing ########
socket options = TCP_NODELAY
#======================= Share Definitions ======================
<snip>
I do have another question, but its not important by comparison.
Does the Check Password Script option allow additional variables to be sent
ala passwd program options?
Ie
check password script = /root/scripts/cracklib.sh %u
mainly as I would like the script to do checks that users aren't using their
own name in passwords, but when I also tried that, the same problem remained
(not sure if it is because of the first issue or if its separate/not
possible)
TIA
--
Regards
Nick Sharp
e <mailto:nick.sharp@valex.com.au> nick.sharp@valex.com.au
