Fixed.
Thank you John for your comment, which made me realize that crackcheck
was something I needed to compile myself. I had though this was perhaps
a version difference between older and newer versions of cracklib. In my
case I was using prebuilt RPM's. Please see my notes below for my steps
to resolution (cc: to samba list for posterity).
Also, thank you Jack for your suggestion. I was able to get passwd sync
to work, but since the users never log into the samba box directly I
wanted to keep this entirely "within samba" so to speak and not deal
with setting up the pam restrictions on unix accounts.
thanks again...
mtoal
On 12/21/2009 9:17 AM, j...@hytronix.com wrote:
I'll repost this, as I'm kind of needing to get some resolution on this
issue. If anyone has some documentation they could point me to I'd
appreciate it, or perhaps a sample check password script suitable for
Fedora 11.
Look in your samba source, under examples->auth->crackcheck, if you built
from source - since you have the cracklib stuff already you have all you
need.
If you are using prebuilt RPMs, it's in one of them, but I don't recall
which.
-John
# create-cracklib-dict /usr/share/dict/words
we need to be sure we have created our password dictionary
it is created for us in /usr/share/cracklib/pw_dict.pwd
this is referred to in smb.conf when we set up password checking
I received a suggestion that crackcheck was to be compiled from samba
source, exists in examples/auth/crackcheck
# yum install samba-doc
didn't have crackcheck in it.
look for the main samba source rpm.
# rpm -ivh samba-3.4.2-0.42.fc11.src.rpm
i got it from rpmseek.com
/examples/auth/crackcheck.c is present in this directory:
/root/rpmbuild/SOURCES/samba-3.4.2/examples/auth/crackcheck
Now, what do I need to compile it?
we at least need to install gcc, maybe cracklib-dev
# yum install gcc
make didn't work yet, probably need cracklib-devel
# yum install cracklib-devel
make worked
crackcheck executable resides in:
/root/rpmbuild/SOURCES/samba-3.4.2/examples/auth/crackcheck
copy this to somewhere more sensible:
cp crackcheck /usr/local/sbin
# /usr/local/sbin/crackcheck -d /usr/share/cracklib/pw_dict
erjioerjfiorfjeirfjoeri
(returns nothing implying the password was acceptable)
# /usr/local/sbin/crackcheck -d /usr/share/cracklib/pw_dict
crappy
ERR - it is based on a dictionary word
(returns an error indicating password is not acceptable)
# vi /etc/samba/smb.conf
check password script = /usr/local/sbin/crackcheck -d
/usr/share/cracklib/pw_dict
# service smb reload
try it now from a windows client that is on that domain.
things to check if all passwords are rejected even good ones...
...is pw_dict an empty or very small file? remake it.
...is crackcheck executable where you think it is?
...is the path to crackcheck executable valid? (I had a typo)
...is the path to the pw_dict valid?
--
Morgan Toal, CFCE, RHCE, CEH
Network Manager
City of Burlington, Iowa
319-759-8882
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
