Allright! I fix one of the problems. How can you check that the user is not using an old password?

pdbedit -P list
No account policy by that name
Account policy names are :
min password length
password history
user must logon to change password
maximum password age
minimum password age
lockout duration
reset count minutes
bad lockout attempt
disconnect time
refuse machine password change

pdbedit -P "password history" -C 4

This actually works! Now my ldiff shows:
smbldap-usershow glorenzutti | grep sambaPassword
sambaPasswordHistory: 09DEA23A420CB589FB6F14988B67FF0B839BD8518FBEA395AEFA6F77E907F630245AC934D62C1472F2324A977F76616E5670EF67F0793D8218977A2BAAD03817813D37ACA0EC6DBF46AF0B507B55E09D6431E1A0E609D0013DACB3B0BD4CD7350000000000000000000000000000000000000000000000000000000000000000

This is great. I have working this and the dictionary passwords with the "check password script".

Know what Im missing:

1) check that the new password is not similar to the old one.
2) check that the new password has at least 2 digits.

The thing I found that dosen't work is the pdbedit -P "maximum password age" -C someunixtime The default says 4294967295 and if I put 1180224000 instead ( 6 months ), when I change a password it goes to 1907!

Any clues?

Thanks.



Guido Lorenzutti wrote:
welll.... obey pam restrictions and "encrypt passwords = yes" dosen't work at the same time. If you select "encrypt passwords = yes" "obey pam .." dosen't work anymore. And I cant say no to encrypt passwords...

Any other idea?


Guido Lorenzutti wrote:
Thank you for you answear, but I try what you say and it dosen't work.
I now using obey pam restrictions, I restart samba... and this is my pam config:

bowman:/var/log# cat /etc/pam.d/samba
account required  /lib/security/pam_unix.so
account sufficient  /lib/security/pam_ldap.so
auth    required    /lib/security/pam_env.so
auth    sufficient  /lib/security/pam_unix.so likeauth nullok shadow
auth    sufficient  /lib/security/pam_ldap.so use_first_pass
auth    required    /lib/security/pam_deny.so
password required /lib/security/pam_cracklib.so minlen=6 dcredit=2 difok=2 retry=3 password sufficient /lib/security/pam_unix.so nullok use_authtok shadow md5
password    sufficient /lib/security/pam_ldap.so use_authtok
password    required /lib/security/pam_deny.so
session required    /lib/security/pam_limits.so
session required    /lib/security/pam_unix.so
session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=077
session optional    /lib/security/pam_ldap.so

bowman:/var/log# testparm -v | grep obey
Load smb config files from /etc/samba/smb.conf
Processing section "[personal]"
Processing section "[netlogon]"
Processing section "[profiles]"
Processing section "[publico]"
Processing section "[Grupos]"
Processing section "[profiles2]"
Processing section "[payroll]"
Processing section "[payrolladmin]"
Processing section "[Aida]"
Processing section "[esempi]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions

       obey pam restrictions = Yes

But when I try to change the password, I can use my old one still. I can use a password withouth the two digits... like nothing.
Are you sure that with ldap the obey pam restrictions works?

Thanks in advance... Sorry for my english.


Cleber P. de Souza wrote:
Hi Guido,

There are a set of ways to accomplish such task.
Some I use is:
1) Set obey pam restrictions = yes in the smb.conf file.
2) Set check password script = /usr/sbin/crackcheck -d /usr/lib/cracklib_dict
This check the user password against a dictionary. Crackcheck can be
downloaded from samba
(http://people.samba.org/bzr/mwxia/samba-soc/examples/auth/crackcheck/).
The cracklib package must be installed for the dictionary to work.
3) Use pam pam_cracklib to set your password rules for lower/upper
characters, numbers, special characters, etc:
password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
minlen=8 difok=3 dcredit=-1 lcredit=-1
Or pam_passwdqc for the same thing:
password    requisite    /lib/security/$ISA/pam_passwdqc.so
min=disable,8,8,8,8 max=25 passphrase=0 match=6 similar=deny random=64
enforce=users retry=3
See the man pages for correct options values.
4) You can block users after X retries using pam pam_tally.so, but I
haven't tried this yet.

I think this can help you.


On 12/26/06, Guido Lorenzutti <[EMAIL PROTECTED]> wrote:
Maybe I can do this with the "check password script". But I only found
the cracklib example. Anyone knows a way of doing this? Becouse the
cracklib example only check agains a dictionary.

Tnxs in advance.


Gary Dale wrote:
> I think you'll find at least some of these are Windows Policies and
> would not be reflected in the smb.conf file. If you check the Samba
> Howto collection and the Samba by example documents at samba.org,
> you'll find examples of how to set some of the policies.
>
> To be honest, I've never gone beyond requiring password changes,
> minimum lengths and histories.  :)
>
>
> Guido Lorenzutti wrote:
>> Hi people! I have a few problems with the password strength in Samba.
>> I have a PDC with LDAP on Debian Stable, with a few packages from
>> backports.
>> The problem is that I can't find a way to enforce strenght to the
>> passwords of the users. I can't define a policy to force things like:
>> number of uppercase letters, number of downcase letters, number of
>> numbers in the password, to check the diference between the new and
>> the old, to store a list of old passwords to check... I mean, things >> that are requiered to enforce some policy of security by my company.
>> Bottom line? The users can put his username for password! Not even
>> that is checked...
>>
>> It's something wrong in my setup or is a feature request? I see min
>> password length.. but.. the rest?
>>
>>
>> This is the important part of my setup:
>>
>> [global]
>> #Network ID
>>        workgroup = JUSBAIRES
>>        netbios name = PDC
>>        netbios aliases = SERVER
>>        server string =
>>
>> #Logs
>>        debug level = 0
>>        syslog = 0
>>        log level = 0
>>        log file = /var/log/samba/%m.%U.log
>>        max log size = 10000
>>        panic action = /usr/share/samba/panic-action %d
>>
>> #Network Support
>>        name resolve order = wins hosts lmhosts bcast
>>        socket options = TCP_NODELAY SO_RCVBUF=65535 SO_SNDBUF=65535
>> IPTOS_LOWDELAY SO_KEEPALIVE
>>        wins support = yes
>>        wins proxy = yes
>>        enhanced browsing = yes
>>        dns proxy = yes
>>        time server = yes
>>        local master = yes
>>        smb ports = 139
>>
>> #LDAP
>>        ldap admin dn =
>> uid=alem-fs2,ou=security,dc=jusbaires,dc=gov,dc=ar
>>        ldap suffix = dc=jusbaires,dc=gov,dc=ar
>>        ldap group suffix = ou=Group
>>        ldap user suffix = ou=People
>>        ldap machine suffix = ou=alem,ou=Computers
>>        ldap delete dn = no
>>        ldap passwd sync = yes
>>
>> #Printer Options
>>        printcap name = /dev/null
>>        printing = bsd
>>        load printers = no
>>
>> #Security Options
>>        admin users = administrador lgiacchetta
>>        enable privileges = yes
>>        preferred master = yes
>>        lm announce = yes
>>        domain master = yes
>>        domain logons = yes
>>        encrypt passwords = yes
>>        pam password change = yes
>>        passdb backend = ldapsam:"ldap://127.0.0.1
>> ldap://alem-ldap.jusbaires.gov.ar
>> ldap://alem-systemlog.jusbaires.gov.ar";
>>        passwd chat debug = no
>>        check password script = /usr/local/bin/crackcheck -d
>> /var/cache/cracklib/cracklib_dict
>>        unix charset = 850
>>        dont descend = .recycle
>>        delete veto files = yes
>>        restrict anonymous = 1
>>
>> #Profiles stuff
>>        logon script = netlogon.%U.bat
>>        logon path = \\PDC\profiles\%U
>>        logon home = \\PDC\personal
>>        logon drive = H:
>>        hide files = /Desktop.ini/desktop.ini/
>>        hide dot files = yes
>

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba







--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Reply via email to