samba - Dec 2009 - samba password complexity help?

Hi there,

Here are the facts:
- I have samba 3.4.2-0.42.fc11 running on a Fedora 11 system.
- Samba is acting as a domain controller, no Windows server involved.
- I am using tdbsam.
- I need to enforce certain password requirements.

The password requirements are:
- min 8 characters
- expiration 90 days
- last 10 passwords may not be reused
- not a dictionary word

Per the Samba 3.2 FAQ, the first three requirements are easily 
accomplished via pdbedit:
# pdbedit -P "min password length" -C 8
# pdbedit -P "password history" -C 10
# pdbedit -P "maximum password age" -C 90

These items appear to work with no difficulty. However this does not 
address the dictionary/complexity requirement.

I have seen the following suggestion elsewhere on the samba list:

check password script = /usr/local/sbin/crackcheck -d 
/var/cache/cracklib/cracklib_dict

I am not able to use this suggestion directly. No file "crackcheck" is
present on my system. There is a /usr/sbin/cracklib-check but it seems 
to work on a file or stream, like grep or something, as opposed to 
returning a value as a function. And it does not seem to accept a "-d"
switch. There seems to be no man page for cracklib-check. I have a 
dictionary in /usr/share/cracklib

Here is what cracklib-check does...

# cracklib-check
test
test: it is too short
booger
booger: it is based on a dictionary word
bfg9000
bfg9000: OK
^C
# cracklib-check booger   <-- attempting to check password "booger"
^C                        <-- sits there for input, ctrl-c to get out

It does not seem to be a program that "returns" something, so I
don't
think it can return an error code to Samba if I use a crappy password. 
But I try this anyway, but it does not seem to accomplish anything. I 
see nothing in /var/log/messages or in /var/log/samba/log.smbd

check password script = /usr/sbin/cracklib-check /usr/share/cracklib/pw_dict

Well, it doesn't seem to work when I change my password from a windows 
client. Does anyone have any suggestions? Thanks.

So what it boils down to is:

0) what am I missing here?

1) where can I get an example crackcheck script file?

2) I have seen other suggestions to use pam. This might supersede some 
of the tdbsam policy requirements. Is this a better method?



-- 
Morgan Toal, CFCE, RHCE, CEH
Network Manager
City of Burlington, Iowa
319-759-8882

Hi there,

I'll repost this, as I'm kind of needing to get some resolution on this 
issue. If anyone has some documentation they could point me to I'd 
appreciate it, or perhaps a sample check password script suitable for 
Fedora 11.

Thanks!!!

mtoal

-------- Original Message --------
Subject: [Samba] samba password complexity help?
Date: Thu, 17 Dec 2009 14:38:34 -0600
From: Morgan Toal <mtoal at burlingtoniowa.org>
To: samba at lists.samba.org

Hi there,

Here are the facts:
- I have samba 3.4.2-0.42.fc11 running on a Fedora 11 system.
- Samba is acting as a domain controller, no Windows server involved.
- I am using tdbsam.
- I need to enforce certain password requirements.

The password requirements are:
- min 8 characters
- expiration 90 days
- last 10 passwords may not be reused
- not a dictionary word

Per the Samba 3.2 FAQ, the first three requirements are easily
accomplished via pdbedit:
# pdbedit -P "min password length" -C 8
# pdbedit -P "password history" -C 10
# pdbedit -P "maximum password age" -C 90

These items appear to work with no difficulty. However this does not
address the dictionary/complexity requirement.

I have seen the following suggestion elsewhere on the samba list:

check password script = /usr/local/sbin/crackcheck -d
/var/cache/cracklib/cracklib_dict

I am not able to use this suggestion directly. No file "crackcheck" is
present on my system. There is a /usr/sbin/cracklib-check but it seems
to work on a file or stream, like grep or something, as opposed to
returning a value as a function. And it does not seem to accept a "-d"
switch. There seems to be no man page for cracklib-check. I have a
dictionary in /usr/share/cracklib

Here is what cracklib-check does...

# cracklib-check
test
test: it is too short
booger
booger: it is based on a dictionary word
bfg9000
bfg9000: OK
^C
# cracklib-check booger   <-- attempting to check password "booger"
^C                        <-- sits there for input, ctrl-c to get out

It does not seem to be a program that "returns" something, so I
don't
think it can return an error code to Samba if I use a crappy password.
But I try this anyway, but it does not seem to accomplish anything. I
see nothing in /var/log/messages or in /var/log/samba/log.smbd

check password script = /usr/sbin/cracklib-check /usr/share/cracklib/pw_dict

Well, it doesn't seem to work when I change my password from a windows
client. Does anyone have any suggestions? Thanks.

So what it boils down to is:

0) what am I missing here?

1) where can I get an example crackcheck script file?

2) I have seen other suggestions to use pam. This might supersede some
of the tdbsam policy requirements. Is this a better method?



-- 
Morgan Toal, CFCE, RHCE, CEH
Network Manager
City of Burlington, Iowa
319-759-8882
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Fixed.

Thank you John for your comment, which made me realize that crackcheck 
was something I needed to compile myself. I had though this was perhaps 
a version difference between older and newer versions of cracklib. In my 
case I was using prebuilt RPM's. Please see my notes below for my steps 
to resolution (cc: to samba list for posterity).

Also, thank you Jack for your suggestion. I was able to get passwd sync 
to work, but since the users never log into the samba box directly I 
wanted to keep this entirely "within samba" so to speak and not deal 
with setting up the pam restrictions on unix accounts.

thanks again...

mtoal

On 12/21/2009 9:17 AM, john at hytronix.com wrote:
>> I'll repost this, as I'm kind of needing to get some resolution
on this
>> issue. If anyone has some documentation they could point me to I'd
>> appreciate it, or perhaps a sample check password script suitable for
>> Fedora 11.
>
> Look in your samba source, under examples->auth->crackcheck, if you
built
> from source - since you have the cracklib stuff already you have all you
> need.
>
> If you are using prebuilt RPMs, it's in one of them, but I don't
recall
> which.
>
> -John
# create-cracklib-dict /usr/share/dict/words
we need to be sure we have created our password dictionary
it is created for us in /usr/share/cracklib/pw_dict.pwd
this is referred to in smb.conf when we set up password checking

I received a suggestion that crackcheck was to be compiled from samba 
source, exists in examples/auth/crackcheck

# yum install samba-doc
didn't have crackcheck in it.
look for the main samba source rpm.

# rpm -ivh samba-3.4.2-0.42.fc11.src.rpm
i got it from rpmseek.com
/examples/auth/crackcheck.c is present in this directory:
/root/rpmbuild/SOURCES/samba-3.4.2/examples/auth/crackcheck
Now, what do I need to compile it?
we at least need to install gcc, maybe cracklib-dev

# yum install gcc
make didn't work yet, probably need cracklib-devel

# yum install cracklib-devel
make worked
crackcheck executable resides in:
/root/rpmbuild/SOURCES/samba-3.4.2/examples/auth/crackcheck

copy this to somewhere more sensible:
cp crackcheck /usr/local/sbin

# /usr/local/sbin/crackcheck -d /usr/share/cracklib/pw_dict
erjioerjfiorfjeirfjoeri
(returns nothing implying the password was acceptable)

# /usr/local/sbin/crackcheck -d /usr/share/cracklib/pw_dict
crappy
ERR - it is based on a dictionary word
(returns an error indicating password is not acceptable)

# vi /etc/samba/smb.conf
check password script = /usr/local/sbin/crackcheck -d 
/usr/share/cracklib/pw_dict

# service smb reload

try it now from a windows client that is on that domain.

things to check if all passwords are rejected even good ones...
...is pw_dict an empty or very small file? remake it.
...is crackcheck executable where you think it is?
...is the path to crackcheck executable valid? (I had a typo)
...is the path to the pw_dict valid?

-- 
Morgan Toal, CFCE, RHCE, CEH
Network Manager
City of Burlington, Iowa
319-759-8882