Hi, Here's what I've done so far:
- Added a simple API in cracklib for Samba, works great. - Sent an email to Alec Muffett, author of cracklib asking him if he can add this new API that doesn't use "getuid() & getpwuid()". - Sent an email to Chris Hoover, author of "npasswd" asking him a few questions about his work and also if he could add the new "API" in the npasswd's cracklib distribution. Note: npasswd's cracklib is modified to do a much better check (mangle). He added some code from "Crack" which Alec never added in cracklib. npasswd's new cracklib "API" does not use getuid / getpwuid which is what we need but it doesn't check againts the username & fullusername info. I think this is really important. Issues & questions: - Will we ever see more work on cracklib, nothing changed since 1997. We know we need to add an "API" that doesn't use "getuid() / getpwuid()". If Alec and/or Chris don't want to add an API that doesn't use the get{pw}uid(), we can: 1- Add a patch to cracklib in a "contrib" directory, link Samba with "libcrack.a" 2- Commit an API in "Samba", still link with "libcrack.a" for the rest of the functionnalities. 3- Commit a "samba-cracklib" in SAMBA_X_Y , i.e. fully integrate samba-cracklib in Samba (no more fprintf(stderr,...), etc), when possible use Samba's "string" functions instead of cracklib's original. Don't use sprintf, use Samba's snprintf, etc. [Q] What do you think is the best to do? I don't like #1. #2 is possible, we'll probably endup with our own re-written "fascist.c" . Some "meat" now, not a big piece! Added the following code in smbd/chgpassword.c ~ line 973 : #ifdef CRACKLIB if (msg = NewFascistCheck(new_passwd, CRACKLIB_DICTPATH, pdb_get_username(hnd), pdb_get_fullname(hnd))) { DEBUG(0, ("Can't change password - " "Cracklib returns: %s\n", msg)); return NT_STATUS_ACCESS_DENIED; /* return NT_STATUS_PASSWORD_RESTRICTION; */ } } #endif [Q] Do we want to be able to configure the dictionnary name within the smb.conf (char *) or "hard-coded" in cracklib? Perhaps we want to be able to specify multiple directories (char **). npasswd uses "(char **)" (mutliple). I have no preference. As you probably all know, I'm no Windows protocol guru! [Q] Is NT_STATUS_ACCESS_DENIED the right value to return when "cracklib" "finds the password" in the dictionary? [Q] Is it possible to send back a real message? It could be "The specified password is invalid. Please choose a password not based on a dictionnary word" or "password not long enough - minimum X characters", etc. When I change my password here @ work (with a Windows backend domain controller), I can't take any of my previous ~ 3 passwords. I do get an "understand" error message. Is everything needed to send back a "good" error message already in Samba? If so, how? if not, well I might need to install a good sniffer and read a few more documents to understand "windows protocol" unless someone here already knows how to do this. Any other comments are welcome. Thank you *very much* - enjoy the weekend. Pierre B.