From: Morgan Toal on
Hi there,

I'll repost this, as I'm kind of needing to get some resolution on this
issue. If anyone has some documentation they could point me to I'd
appreciate it, or perhaps a sample check password script suitable for
Fedora 11.

Thanks!!!

mtoal

-------- Original Message --------
Subject: [Samba] samba password complexity help?
Date: Thu, 17 Dec 2009 14:38:34 -0600
From: Morgan Toal <mtoal(a)burlingtoniowa.org>
To: samba(a)lists.samba.org

Hi there,

Here are the facts:
- I have samba 3.4.2-0.42.fc11 running on a Fedora 11 system.
- Samba is acting as a domain controller, no Windows server involved.
- I am using tdbsam.
- I need to enforce certain password requirements.

The password requirements are:
- min 8 characters
- expiration 90 days
- last 10 passwords may not be reused
- not a dictionary word

Per the Samba 3.2 FAQ, the first three requirements are easily
accomplished via pdbedit:
# pdbedit -P "min password length" -C 8
# pdbedit -P "password history" -C 10
# pdbedit -P "maximum password age" -C 90

These items appear to work with no difficulty. However this does not
address the dictionary/complexity requirement.

I have seen the following suggestion elsewhere on the samba list:

check password script = /usr/local/sbin/crackcheck -d
/var/cache/cracklib/cracklib_dict

I am not able to use this suggestion directly. No file "crackcheck" is
present on my system. There is a /usr/sbin/cracklib-check but it seems
to work on a file or stream, like grep or something, as opposed to
returning a value as a function. And it does not seem to accept a "-d"
switch. There seems to be no man page for cracklib-check. I have a
dictionary in /usr/share/cracklib

Here is what cracklib-check does...

# cracklib-check
test
test: it is too short
booger
booger: it is based on a dictionary word
bfg9000
bfg9000: OK
^C
# cracklib-check booger <-- attempting to check password "booger"
^C <-- sits there for input, ctrl-c to get out

It does not seem to be a program that "returns" something, so I don't
think it can return an error code to Samba if I use a crappy password.
But I try this anyway, but it does not seem to accomplish anything. I
see nothing in /var/log/messages or in /var/log/samba/log.smbd

check password script = /usr/sbin/cracklib-check /usr/share/cracklib/pw_dict

Well, it doesn't seem to work when I change my password from a windows
client. Does anyone have any suggestions? Thanks.

So what it boils down to is:

0) what am I missing here?

1) where can I get an example crackcheck script file?

2) I have seen other suggestions to use pam. This might supersede some
of the tdbsam policy requirements. Is this a better method?



--
Morgan Toal, CFCE, RHCE, CEH
Network Manager
City of Burlington, Iowa
319-759-8882
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
From: Jack Downes on
If you've got password synchronization working, you should be able to
depend on system complexity tests. I think in RH, those settings are in
/etc/pam.d/system-auth or /etc/pam.d/common-password. I can't recall
for sure. But try taking a look at that route. Might work, who knows...

Morgan Toal wrote:
> Hi there,
>
> I'll repost this, as I'm kind of needing to get some resolution on
> this issue. If anyone has some documentation they could point me to
> I'd appreciate it, or perhaps a sample check password script suitable
> for Fedora 11.
>
> Thanks!!!
>
> mtoal
>
> -------- Original Message --------
> Subject: [Samba] samba password complexity help?
> Date: Thu, 17 Dec 2009 14:38:34 -0600
> From: Morgan Toal <mtoal(a)burlingtoniowa.org>
> To: samba(a)lists.samba.org
>
> Hi there,
>
> Here are the facts:
> - I have samba 3.4.2-0.42.fc11 running on a Fedora 11 system.
> - Samba is acting as a domain controller, no Windows server involved.
> - I am using tdbsam.
> - I need to enforce certain password requirements.
>
> The password requirements are:
> - min 8 characters
> - expiration 90 days
> - last 10 passwords may not be reused
> - not a dictionary word
>
> Per the Samba 3.2 FAQ, the first three requirements are easily
> accomplished via pdbedit:
> # pdbedit -P "min password length" -C 8
> # pdbedit -P "password history" -C 10
> # pdbedit -P "maximum password age" -C 90
>
> These items appear to work with no difficulty. However this does not
> address the dictionary/complexity requirement.
>
> I have seen the following suggestion elsewhere on the samba list:
>
> check password script = /usr/local/sbin/crackcheck -d
> /var/cache/cracklib/cracklib_dict
>
> I am not able to use this suggestion directly. No file "crackcheck" is
> present on my system. There is a /usr/sbin/cracklib-check but it seems
> to work on a file or stream, like grep or something, as opposed to
> returning a value as a function. And it does not seem to accept a "-d"
> switch. There seems to be no man page for cracklib-check. I have a
> dictionary in /usr/share/cracklib
>
> Here is what cracklib-check does...
>
> # cracklib-check
> test
> test: it is too short
> booger
> booger: it is based on a dictionary word
> bfg9000
> bfg9000: OK
> ^C
> # cracklib-check booger <-- attempting to check password "booger"
> ^C <-- sits there for input, ctrl-c to get out
>
> It does not seem to be a program that "returns" something, so I don't
> think it can return an error code to Samba if I use a crappy password.
> But I try this anyway, but it does not seem to accomplish anything. I
> see nothing in /var/log/messages or in /var/log/samba/log.smbd
>
> check password script = /usr/sbin/cracklib-check
> /usr/share/cracklib/pw_dict
>
> Well, it doesn't seem to work when I change my password from a windows
> client. Does anyone have any suggestions? Thanks.
>
> So what it boils down to is:
>
> 0) what am I missing here?
>
> 1) where can I get an example crackcheck script file?
>
> 2) I have seen other suggestions to use pam. This might supersede some
> of the tdbsam policy requirements. Is this a better method?
>
>
>

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
From: Morgan Toal on
Fixed.

Thank you John for your comment, which made me realize that crackcheck
was something I needed to compile myself. I had though this was perhaps
a version difference between older and newer versions of cracklib. In my
case I was using prebuilt RPM's. Please see my notes below for my steps
to resolution (cc: to samba list for posterity).

Also, thank you Jack for your suggestion. I was able to get passwd sync
to work, but since the users never log into the samba box directly I
wanted to keep this entirely "within samba" so to speak and not deal
with setting up the pam restrictions on unix accounts.

thanks again...

mtoal

On 12/21/2009 9:17 AM, john(a)hytronix.com wrote:

>> I'll repost this, as I'm kind of needing to get some resolution on this
>> issue. If anyone has some documentation they could point me to I'd
>> appreciate it, or perhaps a sample check password script suitable for
>> Fedora 11.
>
> Look in your samba source, under examples->auth->crackcheck, if you built
> from source - since you have the cracklib stuff already you have all you
> need.
>
> If you are using prebuilt RPMs, it's in one of them, but I don't recall
> which.
>
> -John

# create-cracklib-dict /usr/share/dict/words
we need to be sure we have created our password dictionary
it is created for us in /usr/share/cracklib/pw_dict.pwd
this is referred to in smb.conf when we set up password checking

I received a suggestion that crackcheck was to be compiled from samba
source, exists in examples/auth/crackcheck

# yum install samba-doc
didn't have crackcheck in it.
look for the main samba source rpm.

# rpm -ivh samba-3.4.2-0.42.fc11.src.rpm
i got it from rpmseek.com
/examples/auth/crackcheck.c is present in this directory:
/root/rpmbuild/SOURCES/samba-3.4.2/examples/auth/crackcheck
Now, what do I need to compile it?
we at least need to install gcc, maybe cracklib-dev

# yum install gcc
make didn't work yet, probably need cracklib-devel

# yum install cracklib-devel
make worked
crackcheck executable resides in:
/root/rpmbuild/SOURCES/samba-3.4.2/examples/auth/crackcheck

copy this to somewhere more sensible:
cp crackcheck /usr/local/sbin

# /usr/local/sbin/crackcheck -d /usr/share/cracklib/pw_dict
erjioerjfiorfjeirfjoeri
(returns nothing implying the password was acceptable)

# /usr/local/sbin/crackcheck -d /usr/share/cracklib/pw_dict
crappy
ERR - it is based on a dictionary word
(returns an error indicating password is not acceptable)

# vi /etc/samba/smb.conf
check password script = /usr/local/sbin/crackcheck -d
/usr/share/cracklib/pw_dict

# service smb reload

try it now from a windows client that is on that domain.

things to check if all passwords are rejected even good ones...
....is pw_dict an empty or very small file? remake it.
....is crackcheck executable where you think it is?
....is the path to crackcheck executable valid? (I had a typo)
....is the path to the pw_dict valid?

--
Morgan Toal, CFCE, RHCE, CEH
Network Manager
City of Burlington, Iowa
319-759-8882
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba