If you've got password synchronization working, you should be able to depend on system complexity tests. I think in RH, those settings are in /etc/pam.d/system-auth or /etc/pam.d/common-password. I can't recall for sure. But try taking a look at that route. Might work, who knows...
Morgan Toal wrote: > Hi there, > > I'll repost this, as I'm kind of needing to get some resolution on > this issue. If anyone has some documentation they could point me to > I'd appreciate it, or perhaps a sample check password script suitable > for Fedora 11. > > Thanks!!! > > mtoal > > -------- Original Message -------- > Subject: [Samba] samba password complexity help? > Date: Thu, 17 Dec 2009 14:38:34 -0600 > From: Morgan Toal <mt...@burlingtoniowa.org> > To: samba@lists.samba.org > > Hi there, > > Here are the facts: > - I have samba 3.4.2-0.42.fc11 running on a Fedora 11 system. > - Samba is acting as a domain controller, no Windows server involved. > - I am using tdbsam. > - I need to enforce certain password requirements. > > The password requirements are: > - min 8 characters > - expiration 90 days > - last 10 passwords may not be reused > - not a dictionary word > > Per the Samba 3.2 FAQ, the first three requirements are easily > accomplished via pdbedit: > # pdbedit -P "min password length" -C 8 > # pdbedit -P "password history" -C 10 > # pdbedit -P "maximum password age" -C 90 > > These items appear to work with no difficulty. However this does not > address the dictionary/complexity requirement. > > I have seen the following suggestion elsewhere on the samba list: > > check password script = /usr/local/sbin/crackcheck -d > /var/cache/cracklib/cracklib_dict > > I am not able to use this suggestion directly. No file "crackcheck" is > present on my system. There is a /usr/sbin/cracklib-check but it seems > to work on a file or stream, like grep or something, as opposed to > returning a value as a function. And it does not seem to accept a "-d" > switch. There seems to be no man page for cracklib-check. I have a > dictionary in /usr/share/cracklib > > Here is what cracklib-check does... > > # cracklib-check > test > test: it is too short > booger > booger: it is based on a dictionary word > bfg9000 > bfg9000: OK > ^C > # cracklib-check booger <-- attempting to check password "booger" > ^C <-- sits there for input, ctrl-c to get out > > It does not seem to be a program that "returns" something, so I don't > think it can return an error code to Samba if I use a crappy password. > But I try this anyway, but it does not seem to accomplish anything. I > see nothing in /var/log/messages or in /var/log/samba/log.smbd > > check password script = /usr/sbin/cracklib-check > /usr/share/cracklib/pw_dict > > Well, it doesn't seem to work when I change my password from a windows > client. Does anyone have any suggestions? Thanks. > > So what it boils down to is: > > 0) what am I missing here? > > 1) where can I get an example crackcheck script file? > > 2) I have seen other suggestions to use pam. This might supersede some > of the tdbsam policy requirements. Is this a better method? > > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba