[Samba] Samba Password Policy IPA
Hello, We currently have Samba 3 and IPA running together. There are issues with IPA and Samba understanding the password policy IPA has for a given user. Currently we are attempting to match a policy in Samba using pdbedit -P pdbedit -P min password length -C 8 pdbedit -P bad lockout attempt -C 6 pdbedit -P lockout duration -C 60 pdbedit -P password history -C 10 **not working pdbedit -P reset count minutes -C 1 pdbedit -P maximum password age -C 90 pdbedit -P minimum password age -C 1 Here is our IPA policy: Max lifetime (days): 90 Min lifetime (hours): 1 History size (number of passwords): 10 Character classes: 3 Min length: 8 Max failures: 6 Failure reset interval (seconds): 60 Lockout duration (seconds): 600 There are certain admin users however that shouldn't have their password expire every 90 days. I'm assuming if I set the above pdbedit commands then ALL users who login to Windows will have to change their password after 90 days. That's what I want but certain admin users should not. Is there a way to exclude users from a password policy in Samba? Thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Password Policy - how to reduce password complexity
On Sun, Mar 3, 2013 at 12:25 AM, Gregory Sloop gr...@sloop.net wrote: Windows cannot set the password for because: The password does not meet the password policy requirements. Check the minimum password length, password complexity and password history requirements. TS It's giving that error because you have a minimum length specified or TS complexity on. If you want to change that you need to run 'samba-tool TS domain passwordsettings set --min-pwd-length=1 --complexity=off'. Do you TS really want to disable complexity and allow very weak passwords? I think best practices show that passwords that are too hard to remember [IMO the complexity requirement starts to get into this area] simply frustrate users and the result will be they write down the password and stick it near the computer. Then is far worse than a weak password. It's a password you can find by pulling open the top drawer of their desk, looking under their keyboard, or simply looking at the postie on the monitor. There are trade-offs (from old security work). Too-complex passwords tend to get used *everywhere* by the same person, and get cut and pasted into scripts. This leads to escalation attacks, where a password sniffed by people using HTTP for LDAP or Kerberos managed passwords or using locally stored passwords for Subversion, chef, CVS, or other risky tools wind up with their site-wide email and login passwords copied or written into Wikis. (God knows I've seen that!!) Too simple passwords get brute-force cracked, remotely, all day long all over the world on exposed hosts, which I've been seeing for over 20 years, since I had to deal with the Morris Worm. I'd recommend something like LastPass, but that's not really applicable here, unless you're going to pull it off your phone or something. I'm personally fond of the XKCD algorighm: http://xkcd.com/936/ Sets of personally memorable words in plain-text, no case mixing, long enough to have much higher entropy than the 8 character l33tSk!z passwords and less likely to cause RSI or mistyping locking you out of your account. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Password Policy - how to reduce password complexity
HI,, im really new with samba 4. Great work. Thanks to the team. But right now a question I havent solved form the faq. Can I use the Group Policy - Computer - Account - Password Policy to restrict the password complexity ? It seems not. I use the Windows 7 remote Admin tools to write a valid policy but it seems its not activated or used. elkberry -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Password Policy - how to reduce password complexity
On Sat, Mar 2, 2013 at 3:55 PM, Immo Wetzel iwet...@gmx.net wrote: HI,, im really new with samba 4. Great work. Thanks to the team. But right now a question I havent solved form the faq. Can I use the Group Policy - Computer - Account - Password Policy to restrict the password complexity ? It seems not. I use the Windows 7 remote Admin tools to write a valid policy but it seems its not activated or used. elkberry This is done on the DC with the command 'samba-tool domain passwordsettings'. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Password Policy - how to reduce password complexity
On Sat, Mar 2, 2013 at 4:51 PM, Immo Wetzel iwet...@gmx.net wrote: A bit more clear. Windows says Windows cannot set the password for because: The password does not meet the password policy requirements. Check the minimum password length, password complexity and password history requirements. It's giving that error because you have a minimum length specified or complexity on. If you want to change that you need to run 'samba-tool domain passwordsettings set --min-pwd-length=1 --complexity=off'. Do you really want to disable complexity and allow very weak passwords? - Ursprüngliche Nachricht - Von: Thomas Simmons Gesendet: 02.03.13 22:20 Uhr An: Immo Wetzel Betreff: Re: [Samba] Password Policy - how to reduce password complexity On Sat, Mar 2, 2013 at 3:55 PM, Immo Wetzel iwet...@gmx.net wrote: HI,, im really new with samba 4. Great work. Thanks to the team. But right now a question I havent solved form the faq. Can I use the Group Policy - Computer - Account - Password Policy to restrict the password complexity ? It seems not. I use the Windows 7 remote Admin tools to write a valid policy but it seems its not activated or used. elkberry This is done on the DC with the command 'samba-tool domain passwordsettings'. elkberry -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Password Policy - how to reduce password complexity
Windows cannot set the password for because: The password does not meet the password policy requirements. Check the minimum password length, password complexity and password history requirements. TS It's giving that error because you have a minimum length specified or TS complexity on. If you want to change that you need to run 'samba-tool TS domain passwordsettings set --min-pwd-length=1 --complexity=off'. Do you TS really want to disable complexity and allow very weak passwords? I think best practices show that passwords that are too hard to remember [IMO the complexity requirement starts to get into this area] simply frustrate users and the result will be they write down the password and stick it near the computer. Then is far worse than a weak password. It's a password you can find by pulling open the top drawer of their desk, looking under their keyboard, or simply looking at the postie on the monitor. I'd recommend something like LastPass, but that's not really applicable here, unless you're going to pull it off your phone or something. IMO, for most of my mid-to-smaller clients, I disable password complexity requirements. I also disable the can't reuse passwords for 4675 years. (sarcasm) I've tended to simply generate passwords for each user and provide them with a copy. We pick multiple quasi-words with some numbers and simply live with some decreased security. [If the attacker can hit your authenticator db with millions of guesses, on or off-line, the game's probably over anyway.] I'm sure that doesn't work for everyone - but a good admin should know when and where to require higher security passwords and when not to. If the admin doesn't know this - then they'll make a myriad of other mistakes, so that high password complexity requirement will largely be useless. [i.e. A high security lock in a styrofoam door.] So, I guess I'd summarize this as: If high complexity passwords are appropriate for your site, use them. If not, don't feel particularly bad about not using them. -Greg -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Password Policy - how to reduce password complexity
On Sunday, March 03, 2013 12:25:49 AM Gregory Sloop wrote: IMO, for most of my mid-to-smaller clients, I disable password complexity requirements. I also disable the can't reuse passwords for 4675 years. (sarcasm) I take this one step further for small offices--without IT staff--where pretty much everyone knows everyone's business. *I* dream up mnemonic passwords based on what they do and what the business does. Staff members easily remember the passwords and the business admin keeps the list in an inaccessible location in a password-protected spreadsheet along with all the internet passwords they use to purchase equipment and supplies and renew licenses. The main benefits: - They use reasonably strong passwords - They remember the passwords - I can log in as them when they have access problems - When someone leaves, needed internet accounts are continued with a mere email/name/password change I periodically change all the passwords, but not frequently. Staff have better things to do than having to memorize a new password whenever they sneeze. I also put wireless outside the firewalled office LAN and require employees to use openVPN to access the protected LAN from wireless or internet (they're really the same). But I digress. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Password policy doesn't work (pdbedit)
Hello, I'm using samba 3.0.24 and Debian 4.0. As a password backend I use smbpasswd. I set password policy: Length - 8 signs, Password history - 3, password complexity - script, maximum password age - 30 days The password length and complexity works, but password history and maximum password age doesn't. I tried do the same on test machine (samba 3.2.5) and it works fine (users and settings I took from my working Samba 3.0.24) . What can I do about that? What should I check? Any ideas? Pdbedit shows correct settings but the password must change time is 19 jan 2038 04:14:07 CET Thanks and regards Radek Bojek -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Password policy doesn't work (pdbedit)
I had the same problem when I set a password policy using pdbedit and tdbsam as the backend... turns out the policy would only apply to new accounts and not existing ones. However if I got the existing users to reset their passwords manually the account policy would kick in. Radek wrote: Hello, I'm using samba 3.0.24 and Debian 4.0. As a password backend I use smbpasswd. I set password policy: Length - 8 signs, Password history - 3, password complexity - script, maximum password age - 30 days The password length and complexity works, but password history and maximum password age doesn't. I tried do the same on test machine (samba 3.2.5) and it works fine (users and settings I took from my working Samba 3.0.24) . What can I do about that? What should I check? Any ideas? Pdbedit shows correct settings but the password must change time is 19 jan 2038 04:14:07 CET Thanks and regards Radek Bojek -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Password policy under Samba 4?
2009/9/1 Michael Wood esiot...@gmail.com: How does one set a password policy using Samba 4? I've set up Samba 4 as a domain controller with one Windows 2003 server joined to the domain. I've seen mention of the check password script option, but I think that's not available in Samba 4, right? I've also seen mention of Group Policies, but I am not sure if this is correct or not because I haven't been able to find anything in the Group Policy management tool on Windows that seems applicable. Basically I just want to know where to set the user must change password after 30 days and password must be at least X characters long settings and have these apply to users logging into the Windows machine. I'd appreciate it if someone could point me at the relevant documentation. I've now found dompol.msc on a Windows 2003 Server AD domain controller. This seems to be what I'm looking for, but if I try running dompol.msc on a Windows 2003 Server joined to the Samba 4 domain as a member server I get an error saying: Failed to open the Group Policy Object. You may not have appropriate rights. Details: The specified domain either does not exist or could not be contacted. This is while logged in to the Windows machine as administra...@example.org (where example.org is the domain I'm using for testing.) Also, dsa.msc works fine for adding users/groups etc. I'm running samba with -d100 and nothing appears to be logged when I start dompol.msc. I can start dompol.msc, acknowledge the error and close it down again without anything at all being added to the log. Group Policy Management shows a Default Domain Policy and I can create a new test policy object, but dompol.msc still gives the same error with no evidence of having contacted Samba at all. Even tcpdump on the Samba box and wireshark on the Windows box show nothing happening when I start, acknowledge and stop dompol.msc. Any ideas? Thanks. -- Michael Wood esiot...@gmail.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Password policy under Samba 4?
How does one set a password policy using Samba 4? I've set up Samba 4 as a domain controller with one Windows 2003 server joined to the domain. I've seen mention of the check password script option, but I think that's not available in Samba 4, right? I've also seen mention of Group Policies, but I am not sure if this is correct or not because I haven't been able to find anything in the Group Policy management tool on Windows that seems applicable. Basically I just want to know where to set the user must change password after 30 days and password must be at least X characters long settings and have these apply to users logging into the Windows machine. I'd appreciate it if someone could point me at the relevant documentation. -- Michael Wood esiot...@gmail.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] password policy
hi, How can I configure a policy for: 1 - the password be diferent of login, name, phone 2 - contain at least 3 character to 12,$%,ab,AB sorry for my english -- Daniel Theodoro 9399-3364 (LPIC-1) Junior Level Linux Professional (LPIC-2) Advanced Level Linux Professional -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] password policy
How can I configure a policy for: 1 - the password be diferent of login, name, phone 2 - contain at least 3 character to 12,$%,ab,AB sorry for my english Are you using ldap? John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] password policy
yes On Tue, Aug 25, 2009 at 10:33 AM, John Drescher dresche...@gmail.comwrote: How can I configure a policy for: 1 - the password be diferent of login, name, phone 2 - contain at least 3 character to 12,$%,ab,AB sorry for my english Are you using ldap? John -- Daniel Theodoro 9399-3364 (LPIC-1) Junior Level Linux Professional (LPIC-2) Advanced Level Linux Professional -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Password policy not being used
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I have my samba deployment using an ldap backend. I made changes to the password policy that is stored in the sambadomain object but windows clients are not adhering to the policy. Do I need something in the smb.conf file that enables this or something else I am missing? -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkpfTa4ACgkQ5B+8XEnAvqvhPACeJfaetbwMCkp0MuhNxewiv0nT JMcAnRZaA8SIX4Grwf/9dxD56/t+yiLH =Xstt -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Password Policy for Samba Ldap PDC
Hello All, I´ve a customer with a problem. They need to apply some policy's in your Samba LDAP (SMBLDAPTOOLS) passwords, like this: - Passwords Expiration - Minimum lenght - History - Quality of Password - Block after 3 incorrect logon attempts Is it possible to do it with the Default Samba schema ? Is there another way to implement ? Thanks for any Help. Best Regards. -- Alexandre Andrade São Paulo - SP [EMAIL PROTECTED] (55 11) 8555-9279 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Password Policy for Samba Ldap PDC
I´ve a customer with a problem. They need to apply some policy's in your Samba LDAP (SMBLDAPTOOLS) passwords, like this: - Passwords Expiration Yes - Minimum lenght Yes - History Yes - Quality of Password No (at least without hackery) - Block after 3 incorrect logon attempts Yes (although I've seen some odd stuff) Is it possible to do it with the Default Samba schema ? Is there another way to implement ? Yes. man pdbedit -- Consonance: an Open Source .NET OpenGroupware client. Contact:[EMAIL PROTECTED] http://freshmeat.net/projects/consonance/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Password Policy for Samba Ldap PDC
Please keep all traffic on the list. Where Can I get pbedit (Download) ? pdbedit is part of the Samba packages. I read some docs about pbedit, Is it possible to integrate pbedit with SMBLDAPTOOLS ? I know nothing about smbldaptools; I don't use them at any of my sites. -- Consonance: an Open Source .NET OpenGroupware client. Contact:[EMAIL PROTECTED] http://freshmeat.net/projects/consonance/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] password policy on PDC
HI all, is it possible to exclude certain privileged accounts from NT4 password policy on Samba PDC? I'm looking for an option: do not apply password policy for those accounts or aply an another password policy. Thanks. Stefan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Password policy problem
I'm looking to implement a global password policy in Samba 3.0.22 I noticed during testing that if I use a minimum password age of say 7 days and then create a user via User Manager with the option of user must change password at first login the user is requested to change the password but is then denied by the policy. Is there anyway to create a user and allow the policy to apply after the first password change? Thanks Dean -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Password Policy in Samba
Hello Everybody, I have a domain with Samba 3 + OpenLDAP and i would like to create a password policy, for example: - At least 8 characters - Different from the last one - At least 2 numbers Does anyone knows how do i do it? Thanks -- Marcelo Gonçalves Diotto e-mail: [EMAIL PROTECTED] Analista de Suporte Computacional / Administrador de Redes Centro Superior de Educação Tecnológica - CESETFone: (19) 3404-7270 Universidade Estadual de Campinas - UNICAMPFax: (19) 3404-7164 Se um dia tiver que escolher entre o mundo e o amor... Lembre-se: Se escolher o mundo, ficará sem o amor, mas se escolher o amor, com ele conquistará o mundo! Albert Einstein -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Password Policy in Samba
On Mon, 2005-12-19 at 13:40 -0200, Marcelo Gonçalves Diotto wrote: Hello Everybody, I have a domain with Samba 3 + OpenLDAP and i would like to create a password policy, for example: - At least 8 characters - Different from the last one - At least 2 numbers Does anyone knows how do i do it? Thanks The way I do this is via the 'check password script' option. If you see the smb.conf manpange, there is the example usage. The crackcheck source is in example/auth in your samba tarball. This checks for password complexity (and is very nasty, also no dictionary words etc), but not difference - that is configured in the account policy. I think that's all documented in the Guide. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] password policy
Hello, PDC: Samba 2.2.5 on FreeBSD 4.11 Clients: WindowsXP SP2 (local user profiles) The WindowsXP clients login to the PDC. The users can change their password on local PC and Samba in one step (Ctrl+Alt+Del - Change Password) Now my question: How can I set password policies like min. passwowrd length I tried to do that with gpedit, but it works, if the user login to the local PC, only. Thanks in advance Niels -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE [Samba] password policy
Hi, pdbedit -P min password length -C value --- Stéphane PURNELLE [EMAIL PROTECTED] Service Informatique Corman S.A. Tel : 00 32 087/342467 [EMAIL PROTECTED] a écrit sur 06/10/2005 11:40:33 : Hello, PDC: Samba 2.2.5 on FreeBSD 4.11 Clients: WindowsXP SP2 (local user profiles) The WindowsXP clients login to the PDC. The users can change their password on local PC and Samba in one step (Ctrl+Alt+Del - Change Password) Now my question: How can I set password policies like min. passwowrd length I tried to do that with gpedit, but it works, if the user login to the local PC, only. Thanks in advance Niels -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: RE [Samba] password policy
Hi Stéphane, pdbedit -P min password length -C value thanks for your reply. Ok, I will upgrade Samba to Version 3 and try pdbedit. 8-)) Thank you very much Niels -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
