samba password complexity help?
in [Samba]
|
Prev: Samba + Vscan
Next: Illegal instruction: 4 (core dumped) when running testparm & [sn]mbd with default config
From: Morgan Toal on 21 Dec 2009 10:00 Hi there, I'll repost this, as I'm kind of needing to get some resolution on this issue. If anyone has some documentation they could point me to I'd appreciate it, or perhaps a sample check password script suitable for Fedora 11. Thanks!!! mtoal -------- Original Message -------- Subject: [Samba] samba password complexity help? Date: Thu, 17 Dec 2009 14:38:34 -0600 From: Morgan Toal <mtoal(a)burlingtoniowa.org> To: samba(a)lists.samba.org Hi there, Here are the facts: - I have samba 3.4.2-0.42.fc11 running on a Fedora 11 system. - Samba is acting as a domain controller, no Windows server involved. - I am using tdbsam. - I need to enforce certain password requirements. The password requirements are: - min 8 characters - expiration 90 days - last 10 passwords may not be reused - not a dictionary word Per the Samba 3.2 FAQ, the first three requirements are easily accomplished via pdbedit: # pdbedit -P "min password length" -C 8 # pdbedit -P "password history" -C 10 # pdbedit -P "maximum password age" -C 90 These items appear to work with no difficulty. However this does not address the dictionary/complexity requirement. I have seen the following suggestion elsewhere on the samba list: check password script = /usr/local/sbin/crackcheck -d /var/cache/cracklib/cracklib_dict I am not able to use this suggestion directly. No file "crackcheck" is present on my system. There is a /usr/sbin/cracklib-check but it seems to work on a file or stream, like grep or something, as opposed to returning a value as a function. And it does not seem to accept a "-d" switch. There seems to be no man page for cracklib-check. I have a dictionary in /usr/share/cracklib Here is what cracklib-check does... # cracklib-check test test: it is too short booger booger: it is based on a dictionary word bfg9000 bfg9000: OK ^C # cracklib-check booger <-- attempting to check password "booger" ^C <-- sits there for input, ctrl-c to get out It does not seem to be a program that "returns" something, so I don't think it can return an error code to Samba if I use a crappy password. But I try this anyway, but it does not seem to accomplish anything. I see nothing in /var/log/messages or in /var/log/samba/log.smbd check password script = /usr/sbin/cracklib-check /usr/share/cracklib/pw_dict Well, it doesn't seem to work when I change my password from a windows client. Does anyone have any suggestions? Thanks. So what it boils down to is: 0) what am I missing here? 1) where can I get an example crackcheck script file? 2) I have seen other suggestions to use pam. This might supersede some of the tdbsam policy requirements. Is this a better method? -- Morgan Toal, CFCE, RHCE, CEH Network Manager City of Burlington, Iowa 319-759-8882 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Jack Downes on 21 Dec 2009 11:00 If you've got password synchronization working, you should be able to depend on system complexity tests. I think in RH, those settings are in /etc/pam.d/system-auth or /etc/pam.d/common-password. I can't recall for sure. But try taking a look at that route. Might work, who knows... Morgan Toal wrote: > Hi there, > > I'll repost this, as I'm kind of needing to get some resolution on > this issue. If anyone has some documentation they could point me to > I'd appreciate it, or perhaps a sample check password script suitable > for Fedora 11. > > Thanks!!! > > mtoal > > -------- Original Message -------- > Subject: [Samba] samba password complexity help? > Date: Thu, 17 Dec 2009 14:38:34 -0600 > From: Morgan Toal <mtoal(a)burlingtoniowa.org> > To: samba(a)lists.samba.org > > Hi there, > > Here are the facts: > - I have samba 3.4.2-0.42.fc11 running on a Fedora 11 system. > - Samba is acting as a domain controller, no Windows server involved. > - I am using tdbsam. > - I need to enforce certain password requirements. > > The password requirements are: > - min 8 characters > - expiration 90 days > - last 10 passwords may not be reused > - not a dictionary word > > Per the Samba 3.2 FAQ, the first three requirements are easily > accomplished via pdbedit: > # pdbedit -P "min password length" -C 8 > # pdbedit -P "password history" -C 10 > # pdbedit -P "maximum password age" -C 90 > > These items appear to work with no difficulty. However this does not > address the dictionary/complexity requirement. > > I have seen the following suggestion elsewhere on the samba list: > > check password script = /usr/local/sbin/crackcheck -d > /var/cache/cracklib/cracklib_dict > > I am not able to use this suggestion directly. No file "crackcheck" is > present on my system. There is a /usr/sbin/cracklib-check but it seems > to work on a file or stream, like grep or something, as opposed to > returning a value as a function. And it does not seem to accept a "-d" > switch. There seems to be no man page for cracklib-check. I have a > dictionary in /usr/share/cracklib > > Here is what cracklib-check does... > > # cracklib-check > test > test: it is too short > booger > booger: it is based on a dictionary word > bfg9000 > bfg9000: OK > ^C > # cracklib-check booger <-- attempting to check password "booger" > ^C <-- sits there for input, ctrl-c to get out > > It does not seem to be a program that "returns" something, so I don't > think it can return an error code to Samba if I use a crappy password. > But I try this anyway, but it does not seem to accomplish anything. I > see nothing in /var/log/messages or in /var/log/samba/log.smbd > > check password script = /usr/sbin/cracklib-check > /usr/share/cracklib/pw_dict > > Well, it doesn't seem to work when I change my password from a windows > client. Does anyone have any suggestions? Thanks. > > So what it boils down to is: > > 0) what am I missing here? > > 1) where can I get an example crackcheck script file? > > 2) I have seen other suggestions to use pam. This might supersede some > of the tdbsam policy requirements. Is this a better method? > > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Morgan Toal on 21 Dec 2009 13:30
Fixed. Thank you John for your comment, which made me realize that crackcheck was something I needed to compile myself. I had though this was perhaps a version difference between older and newer versions of cracklib. In my case I was using prebuilt RPM's. Please see my notes below for my steps to resolution (cc: to samba list for posterity). Also, thank you Jack for your suggestion. I was able to get passwd sync to work, but since the users never log into the samba box directly I wanted to keep this entirely "within samba" so to speak and not deal with setting up the pam restrictions on unix accounts. thanks again... mtoal On 12/21/2009 9:17 AM, john(a)hytronix.com wrote: >> I'll repost this, as I'm kind of needing to get some resolution on this >> issue. If anyone has some documentation they could point me to I'd >> appreciate it, or perhaps a sample check password script suitable for >> Fedora 11. > > Look in your samba source, under examples->auth->crackcheck, if you built > from source - since you have the cracklib stuff already you have all you > need. > > If you are using prebuilt RPMs, it's in one of them, but I don't recall > which. > > -John # create-cracklib-dict /usr/share/dict/words we need to be sure we have created our password dictionary it is created for us in /usr/share/cracklib/pw_dict.pwd this is referred to in smb.conf when we set up password checking I received a suggestion that crackcheck was to be compiled from samba source, exists in examples/auth/crackcheck # yum install samba-doc didn't have crackcheck in it. look for the main samba source rpm. # rpm -ivh samba-3.4.2-0.42.fc11.src.rpm i got it from rpmseek.com /examples/auth/crackcheck.c is present in this directory: /root/rpmbuild/SOURCES/samba-3.4.2/examples/auth/crackcheck Now, what do I need to compile it? we at least need to install gcc, maybe cracklib-dev # yum install gcc make didn't work yet, probably need cracklib-devel # yum install cracklib-devel make worked crackcheck executable resides in: /root/rpmbuild/SOURCES/samba-3.4.2/examples/auth/crackcheck copy this to somewhere more sensible: cp crackcheck /usr/local/sbin # /usr/local/sbin/crackcheck -d /usr/share/cracklib/pw_dict erjioerjfiorfjeirfjoeri (returns nothing implying the password was acceptable) # /usr/local/sbin/crackcheck -d /usr/share/cracklib/pw_dict crappy ERR - it is based on a dictionary word (returns an error indicating password is not acceptable) # vi /etc/samba/smb.conf check password script = /usr/local/sbin/crackcheck -d /usr/share/cracklib/pw_dict # service smb reload try it now from a windows client that is on that domain. things to check if all passwords are rejected even good ones... ....is pw_dict an empty or very small file? remake it. ....is crackcheck executable where you think it is? ....is the path to crackcheck executable valid? (I had a typo) ....is the path to the pw_dict valid? -- Morgan Toal, CFCE, RHCE, CEH Network Manager City of Burlington, Iowa 319-759-8882 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |