Hi Guido, There are a set of ways to accomplish such task. Some I use is: 1) Set obey pam restrictions = yes in the smb.conf file. 2) Set check password script = /usr/sbin/crackcheck -d /usr/lib/cracklib_dict This check the user password against a dictionary. Crackcheck can be downloaded from samba (http://people.samba.org/bzr/mwxia/samba-soc/examples/auth/crackcheck/). The cracklib package must be installed for the dictionary to work. 3) Use pam pam_cracklib to set your password rules for lower/upper characters, numbers, special characters, etc: password requisite /lib/security/$ISA/pam_cracklib.so retry=3 minlen=8 difok=3 dcredit=-1 lcredit=-1 Or pam_passwdqc for the same thing: password requisite /lib/security/$ISA/pam_passwdqc.so min=disable,8,8,8,8 max=25 passphrase=0 match=6 similar=deny random=64 enforce=users retry=3 See the man pages for correct options values. 4) You can block users after X retries using pam pam_tally.so, but I haven't tried this yet.
I think this can help you. On 12/26/06, Guido Lorenzutti <[EMAIL PROTECTED]> wrote:
Maybe I can do this with the "check password script". But I only found the cracklib example. Anyone knows a way of doing this? Becouse the cracklib example only check agains a dictionary. Tnxs in advance. Gary Dale wrote: > I think you'll find at least some of these are Windows Policies and > would not be reflected in the smb.conf file. If you check the Samba > Howto collection and the Samba by example documents at samba.org, > you'll find examples of how to set some of the policies. > > To be honest, I've never gone beyond requiring password changes, > minimum lengths and histories. :) > > > Guido Lorenzutti wrote: >> Hi people! I have a few problems with the password strength in Samba. >> I have a PDC with LDAP on Debian Stable, with a few packages from >> backports. >> The problem is that I can't find a way to enforce strenght to the >> passwords of the users. I can't define a policy to force things like: >> number of uppercase letters, number of downcase letters, number of >> numbers in the password, to check the diference between the new and >> the old, to store a list of old passwords to check... I mean, things >> that are requiered to enforce some policy of security by my company. >> Bottom line? The users can put his username for password! Not even >> that is checked... >> >> It's something wrong in my setup or is a feature request? I see min >> password length.. but.. the rest? >> >> >> This is the important part of my setup: >> >> [global] >> #Network ID >> workgroup = JUSBAIRES >> netbios name = PDC >> netbios aliases = SERVER >> server string = >> >> #Logs >> debug level = 0 >> syslog = 0 >> log level = 0 >> log file = /var/log/samba/%m.%U.log >> max log size = 10000 >> panic action = /usr/share/samba/panic-action %d >> >> #Network Support >> name resolve order = wins hosts lmhosts bcast >> socket options = TCP_NODELAY SO_RCVBUF=65535 SO_SNDBUF=65535 >> IPTOS_LOWDELAY SO_KEEPALIVE >> wins support = yes >> wins proxy = yes >> enhanced browsing = yes >> dns proxy = yes >> time server = yes >> local master = yes >> smb ports = 139 >> >> #LDAP >> ldap admin dn = >> uid=alem-fs2,ou=security,dc=jusbaires,dc=gov,dc=ar >> ldap suffix = dc=jusbaires,dc=gov,dc=ar >> ldap group suffix = ou=Group >> ldap user suffix = ou=People >> ldap machine suffix = ou=alem,ou=Computers >> ldap delete dn = no >> ldap passwd sync = yes >> >> #Printer Options >> printcap name = /dev/null >> printing = bsd >> load printers = no >> >> #Security Options >> admin users = administrador lgiacchetta >> enable privileges = yes >> preferred master = yes >> lm announce = yes >> domain master = yes >> domain logons = yes >> encrypt passwords = yes >> pam password change = yes >> passdb backend = ldapsam:"ldap://127.0.0.1 >> ldap://alem-ldap.jusbaires.gov.ar >> ldap://alem-systemlog.jusbaires.gov.ar" >> passwd chat debug = no >> check password script = /usr/local/bin/crackcheck -d >> /var/cache/cracklib/cracklib_dict >> unix charset = 850 >> dont descend = .recycle >> delete veto files = yes >> restrict anonymous = 1 >> >> #Profiles stuff >> logon script = netlogon.%U.bat >> logon path = \\PDC\profiles\%U >> logon home = \\PDC\personal >> logon drive = H: >> hide files = /Desktop.ini/desktop.ini/ >> hide dot files = yes > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
-- *** Cleber P. de Souza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba