Re: [Samba] password strenght doubt
Please read the documentation. Samba3-HOWTO.pdf is a good start. You can obtain it from: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf The utility you need to master is called 'pdbedit', but before using it please read up on user rights and privileges and on policies. - John T. On Tuesday 26 December 2006 11:36, Guido Lorenzutti wrote: Hi people! I have a few problems with the password strength in Samba. I have a PDC with LDAP on Debian Stable, with a few packages from backports. The problem is that I can't find a way to enforce strenght to the passwords of the users. I can't define a policy to force things like: number of uppercase letters, number of downcase letters, number of numbers in the password, to check the diference between the new and the old, to store a list of old passwords to check... I mean, things that are requiered to enforce some policy of security by my company. Bottom line? The users can put his username for password! Not even that is checked... It's something wrong in my setup or is a feature request? I see min password length.. but.. the rest? This is the important part of my setup: [global] #Network ID workgroup = JUSBAIRES netbios name = PDC netbios aliases = SERVER server string = #Logs debug level = 0 syslog = 0 log level = 0 log file = /var/log/samba/%m.%U.log max log size = 1 panic action = /usr/share/samba/panic-action %d #Network Support name resolve order = wins hosts lmhosts bcast socket options = TCP_NODELAY SO_RCVBUF=65535 SO_SNDBUF=65535 IPTOS_LOWDELAY SO_KEEPALIVE wins support = yes wins proxy = yes enhanced browsing = yes dns proxy = yes time server = yes local master = yes smb ports = 139 #LDAP ldap admin dn = uid=alem-fs2,ou=security,dc=jusbaires,dc=gov,dc=ar ldap suffix = dc=jusbaires,dc=gov,dc=ar ldap group suffix = ou=Group ldap user suffix = ou=People ldap machine suffix = ou=alem,ou=Computers ldap delete dn = no ldap passwd sync = yes #Printer Options printcap name = /dev/null printing = bsd load printers = no #Security Options admin users = administrador lgiacchetta enable privileges = yes preferred master = yes lm announce = yes domain master = yes domain logons = yes encrypt passwords = yes pam password change = yes passdb backend = ldapsam:ldap://127.0.0.1 ldap://alem-ldap.jusbaires.gov.ar ldap://alem-systemlog.jusbaires.gov.ar; passwd chat debug = no check password script = /usr/local/bin/crackcheck -d /var/cache/cracklib/cracklib_dict unix charset = 850 dont descend = .recycle delete veto files = yes restrict anonymous = 1 #Profiles stuff logon script = netlogon.%U.bat logon path = \\PDC\profiles\%U logon home = \\PDC\personal logon drive = H: hide files = /Desktop.ini/desktop.ini/ hide dot files = yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] password strenght doubt (maximum password age not working)
Hi Guido, Know what Im missing: 1) check that the new password is not similar to the old one. The pam_cracklib man pages show exactly what are you found: By default, pam_cracklib performs a number of basic checks on the new password: Simple Checks (http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html) * Is the new password just the old password with the letters reversed (password vs. drowssap) or rotated (password vs. asswordp)? * Does the new password only differ from the old one due to change of case (password vs. Password)? * Are at least some minimum number of characters in the new password not present in the old password? This is where the difok parameter comes into play. The difok value set how much characteres must be different from the actual password. 2) check that the new password has at least 2 digits. The dcredit value from pam_cracklib do this. Set to 2 for your desired results. The man pages show a lot of information. Take care of reading all the options. Any doubts ask the list. The thing I found that dosen't work is the pdbedit -P maximum password age -C someunixtime The default says 4294967295 and if I put 1180224000 instead ( 6 months ), when I change a password it goes to 1907! Any clues? Thanks. Guido Lorenzutti wrote: welll obey pam restrictions and encrypt passwords = yes dosen't work at the same time. If you select encrypt passwords = yes obey pam .. dosen't work anymore. And I cant say no to encrypt passwords... Any other idea? Guido Lorenzutti wrote: Thank you for you answear, but I try what you say and it dosen't work. I now using obey pam restrictions, I restart samba... and this is my pam config: bowman:/var/log# cat /etc/pam.d/samba account required /lib/security/pam_unix.so account sufficient /lib/security/pam_ldap.so authrequired/lib/security/pam_env.so authsufficient /lib/security/pam_unix.so likeauth nullok shadow authsufficient /lib/security/pam_ldap.so use_first_pass authrequired/lib/security/pam_deny.so passwordrequired /lib/security/pam_cracklib.so minlen=6 dcredit=2 difok=2 retry=3 passwordsufficient /lib/security/pam_unix.so nullok use_authtok shadow md5 passwordsufficient /lib/security/pam_ldap.so use_authtok passwordrequired /lib/security/pam_deny.so session required/lib/security/pam_limits.so session required/lib/security/pam_unix.so session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=077 session optional/lib/security/pam_ldap.so bowman:/var/log# testparm -v | grep obey Load smb config files from /etc/samba/smb.conf Processing section [personal] Processing section [netlogon] Processing section [profiles] Processing section [publico] Processing section [Grupos] Processing section [profiles2] Processing section [payroll] Processing section [payrolladmin] Processing section [Aida] Processing section [esempi] Loaded services file OK. Server role: ROLE_DOMAIN_PDC Press enter to see a dump of your service definitions obey pam restrictions = Yes But when I try to change the password, I can use my old one still. I can use a password withouth the two digits... like nothing. Are you sure that with ldap the obey pam restrictions works? Thanks in advance... Sorry for my english. Cleber P. de Souza wrote: Hi Guido, There are a set of ways to accomplish such task. Some I use is: 1) Set obey pam restrictions = yes in the smb.conf file. 2) Set check password script = /usr/sbin/crackcheck -d /usr/lib/cracklib_dict This check the user password against a dictionary. Crackcheck can be downloaded from samba (http://people.samba.org/bzr/mwxia/samba-soc/examples/auth/crackcheck/). The cracklib package must be installed for the dictionary to work. 3) Use pam pam_cracklib to set your password rules for lower/upper characters, numbers, special characters, etc: passwordrequisite /lib/security/$ISA/pam_cracklib.so retry=3 minlen=8 difok=3 dcredit=-1 lcredit=-1 Or pam_passwdqc for the same thing: passwordrequisite/lib/security/$ISA/pam_passwdqc.so min=disable,8,8,8,8 max=25 passphrase=0 match=6 similar=deny random=64 enforce=users retry=3 See the man pages for correct options values. 4) You can block users after X retries using pam pam_tally.so, but I haven't tried this yet. I think this can help you. On 12/26/06, Guido Lorenzutti [EMAIL PROTECTED] wrote: Maybe I can do this with the check password script. But I only found the cracklib example. Anyone knows a way of doing this? Becouse the cracklib example only check agains a dictionary. Tnxs in advance. Gary Dale wrote: I think you'll find at least some of these are Windows Policies and would not be reflected in the smb.conf file. If you check the Samba Howto collection and the Samba by example documents at samba.org, you'll find examples of how to set some of the policies. To be honest, I've never gone
Re: [Samba] password strenght doubt
Thank you for you answear, but I try what you say and it dosen't work. I now using obey pam restrictions, I restart samba... and this is my pam config: bowman:/var/log# cat /etc/pam.d/samba account required /lib/security/pam_unix.so account sufficient /lib/security/pam_ldap.so authrequired/lib/security/pam_env.so authsufficient /lib/security/pam_unix.so likeauth nullok shadow authsufficient /lib/security/pam_ldap.so use_first_pass authrequired/lib/security/pam_deny.so passwordrequired /lib/security/pam_cracklib.so minlen=6 dcredit=2 difok=2 retry=3 passwordsufficient /lib/security/pam_unix.so nullok use_authtok shadow md5 passwordsufficient /lib/security/pam_ldap.so use_authtok passwordrequired /lib/security/pam_deny.so session required/lib/security/pam_limits.so session required/lib/security/pam_unix.so session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=077 session optional/lib/security/pam_ldap.so bowman:/var/log# testparm -v | grep obey Load smb config files from /etc/samba/smb.conf Processing section [personal] Processing section [netlogon] Processing section [profiles] Processing section [publico] Processing section [Grupos] Processing section [profiles2] Processing section [payroll] Processing section [payrolladmin] Processing section [Aida] Processing section [esempi] Loaded services file OK. Server role: ROLE_DOMAIN_PDC Press enter to see a dump of your service definitions obey pam restrictions = Yes But when I try to change the password, I can use my old one still. I can use a password withouth the two digits... like nothing. Are you sure that with ldap the obey pam restrictions works? Thanks in advance... Sorry for my english. Cleber P. de Souza wrote: Hi Guido, There are a set of ways to accomplish such task. Some I use is: 1) Set obey pam restrictions = yes in the smb.conf file. 2) Set check password script = /usr/sbin/crackcheck -d /usr/lib/cracklib_dict This check the user password against a dictionary. Crackcheck can be downloaded from samba (http://people.samba.org/bzr/mwxia/samba-soc/examples/auth/crackcheck/). The cracklib package must be installed for the dictionary to work. 3) Use pam pam_cracklib to set your password rules for lower/upper characters, numbers, special characters, etc: passwordrequisite /lib/security/$ISA/pam_cracklib.so retry=3 minlen=8 difok=3 dcredit=-1 lcredit=-1 Or pam_passwdqc for the same thing: passwordrequisite/lib/security/$ISA/pam_passwdqc.so min=disable,8,8,8,8 max=25 passphrase=0 match=6 similar=deny random=64 enforce=users retry=3 See the man pages for correct options values. 4) You can block users after X retries using pam pam_tally.so, but I haven't tried this yet. I think this can help you. On 12/26/06, Guido Lorenzutti [EMAIL PROTECTED] wrote: Maybe I can do this with the check password script. But I only found the cracklib example. Anyone knows a way of doing this? Becouse the cracklib example only check agains a dictionary. Tnxs in advance. Gary Dale wrote: I think you'll find at least some of these are Windows Policies and would not be reflected in the smb.conf file. If you check the Samba Howto collection and the Samba by example documents at samba.org, you'll find examples of how to set some of the policies. To be honest, I've never gone beyond requiring password changes, minimum lengths and histories. :) Guido Lorenzutti wrote: Hi people! I have a few problems with the password strength in Samba. I have a PDC with LDAP on Debian Stable, with a few packages from backports. The problem is that I can't find a way to enforce strenght to the passwords of the users. I can't define a policy to force things like: number of uppercase letters, number of downcase letters, number of numbers in the password, to check the diference between the new and the old, to store a list of old passwords to check... I mean, things that are requiered to enforce some policy of security by my company. Bottom line? The users can put his username for password! Not even that is checked... It's something wrong in my setup or is a feature request? I see min password length.. but.. the rest? This is the important part of my setup: [global] #Network ID workgroup = JUSBAIRES netbios name = PDC netbios aliases = SERVER server string = #Logs debug level = 0 syslog = 0 log level = 0 log file = /var/log/samba/%m.%U.log max log size = 1 panic action = /usr/share/samba/panic-action %d #Network Support name resolve order = wins hosts lmhosts bcast socket options = TCP_NODELAY SO_RCVBUF=65535 SO_SNDBUF=65535 IPTOS_LOWDELAY SO_KEEPALIVE wins support = yes wins proxy = yes enhanced browsing = yes dns proxy = yes time server = yes local master = yes smb ports = 139 #LDAP
Re: [Samba] password strenght doubt
welll obey pam restrictions and encrypt passwords = yes dosen't work at the same time. If you select encrypt passwords = yes obey pam .. dosen't work anymore. And I cant say no to encrypt passwords... Any other idea? Guido Lorenzutti wrote: Thank you for you answear, but I try what you say and it dosen't work. I now using obey pam restrictions, I restart samba... and this is my pam config: bowman:/var/log# cat /etc/pam.d/samba account required /lib/security/pam_unix.so account sufficient /lib/security/pam_ldap.so authrequired/lib/security/pam_env.so authsufficient /lib/security/pam_unix.so likeauth nullok shadow authsufficient /lib/security/pam_ldap.so use_first_pass authrequired/lib/security/pam_deny.so passwordrequired /lib/security/pam_cracklib.so minlen=6 dcredit=2 difok=2 retry=3 passwordsufficient /lib/security/pam_unix.so nullok use_authtok shadow md5 passwordsufficient /lib/security/pam_ldap.so use_authtok passwordrequired /lib/security/pam_deny.so session required/lib/security/pam_limits.so session required/lib/security/pam_unix.so session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=077 session optional/lib/security/pam_ldap.so bowman:/var/log# testparm -v | grep obey Load smb config files from /etc/samba/smb.conf Processing section [personal] Processing section [netlogon] Processing section [profiles] Processing section [publico] Processing section [Grupos] Processing section [profiles2] Processing section [payroll] Processing section [payrolladmin] Processing section [Aida] Processing section [esempi] Loaded services file OK. Server role: ROLE_DOMAIN_PDC Press enter to see a dump of your service definitions obey pam restrictions = Yes But when I try to change the password, I can use my old one still. I can use a password withouth the two digits... like nothing. Are you sure that with ldap the obey pam restrictions works? Thanks in advance... Sorry for my english. Cleber P. de Souza wrote: Hi Guido, There are a set of ways to accomplish such task. Some I use is: 1) Set obey pam restrictions = yes in the smb.conf file. 2) Set check password script = /usr/sbin/crackcheck -d /usr/lib/cracklib_dict This check the user password against a dictionary. Crackcheck can be downloaded from samba (http://people.samba.org/bzr/mwxia/samba-soc/examples/auth/crackcheck/). The cracklib package must be installed for the dictionary to work. 3) Use pam pam_cracklib to set your password rules for lower/upper characters, numbers, special characters, etc: passwordrequisite /lib/security/$ISA/pam_cracklib.so retry=3 minlen=8 difok=3 dcredit=-1 lcredit=-1 Or pam_passwdqc for the same thing: passwordrequisite/lib/security/$ISA/pam_passwdqc.so min=disable,8,8,8,8 max=25 passphrase=0 match=6 similar=deny random=64 enforce=users retry=3 See the man pages for correct options values. 4) You can block users after X retries using pam pam_tally.so, but I haven't tried this yet. I think this can help you. On 12/26/06, Guido Lorenzutti [EMAIL PROTECTED] wrote: Maybe I can do this with the check password script. But I only found the cracklib example. Anyone knows a way of doing this? Becouse the cracklib example only check agains a dictionary. Tnxs in advance. Gary Dale wrote: I think you'll find at least some of these are Windows Policies and would not be reflected in the smb.conf file. If you check the Samba Howto collection and the Samba by example documents at samba.org, you'll find examples of how to set some of the policies. To be honest, I've never gone beyond requiring password changes, minimum lengths and histories. :) Guido Lorenzutti wrote: Hi people! I have a few problems with the password strength in Samba. I have a PDC with LDAP on Debian Stable, with a few packages from backports. The problem is that I can't find a way to enforce strenght to the passwords of the users. I can't define a policy to force things like: number of uppercase letters, number of downcase letters, number of numbers in the password, to check the diference between the new and the old, to store a list of old passwords to check... I mean, things that are requiered to enforce some policy of security by my company. Bottom line? The users can put his username for password! Not even that is checked... It's something wrong in my setup or is a feature request? I see min password length.. but.. the rest? This is the important part of my setup: [global] #Network ID workgroup = JUSBAIRES netbios name = PDC netbios aliases = SERVER server string = #Logs debug level = 0 syslog = 0 log level = 0 log file = /var/log/samba/%m.%U.log max log size = 1 panic action = /usr/share/samba/panic-action %d #Network Support name resolve order = wins hosts lmhosts bcast socket options = TCP_NODELAY
Re: [Samba] password strenght doubt (maximum password age not working)
Allright! I fix one of the problems. How can you check that the user is not using an old password? pdbedit -P list No account policy by that name Account policy names are : min password length password history user must logon to change password maximum password age minimum password age lockout duration reset count minutes bad lockout attempt disconnect time refuse machine password change pdbedit -P password history -C 4 This actually works! Now my ldiff shows: smbldap-usershow glorenzutti | grep sambaPassword sambaPasswordHistory: 09DEA23A420CB589FB6F14988B67FF0B839BD8518FBEA395AEFA6F77E907F630245AC934D62C1472F2324A977F76616E5670EF67F0793D8218977A2BAAD03817813D37ACA0EC6DBF46AF0B507B55E09D6431E1A0E609D0013DACB3B0BD4CD735 This is great. I have working this and the dictionary passwords with the check password script. Know what Im missing: 1) check that the new password is not similar to the old one. 2) check that the new password has at least 2 digits. The thing I found that dosen't work is the pdbedit -P maximum password age -C someunixtime The default says 4294967295 and if I put 1180224000 instead ( 6 months ), when I change a password it goes to 1907! Any clues? Thanks. Guido Lorenzutti wrote: welll obey pam restrictions and encrypt passwords = yes dosen't work at the same time. If you select encrypt passwords = yes obey pam .. dosen't work anymore. And I cant say no to encrypt passwords... Any other idea? Guido Lorenzutti wrote: Thank you for you answear, but I try what you say and it dosen't work. I now using obey pam restrictions, I restart samba... and this is my pam config: bowman:/var/log# cat /etc/pam.d/samba account required /lib/security/pam_unix.so account sufficient /lib/security/pam_ldap.so authrequired/lib/security/pam_env.so authsufficient /lib/security/pam_unix.so likeauth nullok shadow authsufficient /lib/security/pam_ldap.so use_first_pass authrequired/lib/security/pam_deny.so passwordrequired /lib/security/pam_cracklib.so minlen=6 dcredit=2 difok=2 retry=3 passwordsufficient /lib/security/pam_unix.so nullok use_authtok shadow md5 passwordsufficient /lib/security/pam_ldap.so use_authtok passwordrequired /lib/security/pam_deny.so session required/lib/security/pam_limits.so session required/lib/security/pam_unix.so session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=077 session optional/lib/security/pam_ldap.so bowman:/var/log# testparm -v | grep obey Load smb config files from /etc/samba/smb.conf Processing section [personal] Processing section [netlogon] Processing section [profiles] Processing section [publico] Processing section [Grupos] Processing section [profiles2] Processing section [payroll] Processing section [payrolladmin] Processing section [Aida] Processing section [esempi] Loaded services file OK. Server role: ROLE_DOMAIN_PDC Press enter to see a dump of your service definitions obey pam restrictions = Yes But when I try to change the password, I can use my old one still. I can use a password withouth the two digits... like nothing. Are you sure that with ldap the obey pam restrictions works? Thanks in advance... Sorry for my english. Cleber P. de Souza wrote: Hi Guido, There are a set of ways to accomplish such task. Some I use is: 1) Set obey pam restrictions = yes in the smb.conf file. 2) Set check password script = /usr/sbin/crackcheck -d /usr/lib/cracklib_dict This check the user password against a dictionary. Crackcheck can be downloaded from samba (http://people.samba.org/bzr/mwxia/samba-soc/examples/auth/crackcheck/). The cracklib package must be installed for the dictionary to work. 3) Use pam pam_cracklib to set your password rules for lower/upper characters, numbers, special characters, etc: passwordrequisite /lib/security/$ISA/pam_cracklib.so retry=3 minlen=8 difok=3 dcredit=-1 lcredit=-1 Or pam_passwdqc for the same thing: passwordrequisite/lib/security/$ISA/pam_passwdqc.so min=disable,8,8,8,8 max=25 passphrase=0 match=6 similar=deny random=64 enforce=users retry=3 See the man pages for correct options values. 4) You can block users after X retries using pam pam_tally.so, but I haven't tried this yet. I think this can help you. On 12/26/06, Guido Lorenzutti [EMAIL PROTECTED] wrote: Maybe I can do this with the check password script. But I only found the cracklib example. Anyone knows a way of doing this? Becouse the cracklib example only check agains a dictionary. Tnxs in advance. Gary Dale wrote: I think you'll find at least some of these are Windows Policies and would not be reflected in the smb.conf file. If you check the Samba Howto collection and the Samba by example documents at samba.org, you'll find examples of how to set some of the policies. To be honest, I've never gone beyond requiring password changes, minimum lengths
[Samba] password strenght doubt
Hi people! I have a few problems with the password strength in Samba. I have a PDC with LDAP on Debian Stable, with a few packages from backports. The problem is that I can't find a way to enforce strenght to the passwords of the users. I can't define a policy to force things like: number of uppercase letters, number of downcase letters, number of numbers in the password, to check the diference between the new and the old, to store a list of old passwords to check... I mean, things that are requiered to enforce some policy of security by my company. Bottom line? The users can put his username for password! Not even that is checked... It's something wrong in my setup or is a feature request? I see min password length.. but.. the rest? This is the important part of my setup: [global] #Network ID workgroup = JUSBAIRES netbios name = PDC netbios aliases = SERVER server string = #Logs debug level = 0 syslog = 0 log level = 0 log file = /var/log/samba/%m.%U.log max log size = 1 panic action = /usr/share/samba/panic-action %d #Network Support name resolve order = wins hosts lmhosts bcast socket options = TCP_NODELAY SO_RCVBUF=65535 SO_SNDBUF=65535 IPTOS_LOWDELAY SO_KEEPALIVE wins support = yes wins proxy = yes enhanced browsing = yes dns proxy = yes time server = yes local master = yes smb ports = 139 #LDAP ldap admin dn = uid=alem-fs2,ou=security,dc=jusbaires,dc=gov,dc=ar ldap suffix = dc=jusbaires,dc=gov,dc=ar ldap group suffix = ou=Group ldap user suffix = ou=People ldap machine suffix = ou=alem,ou=Computers ldap delete dn = no ldap passwd sync = yes #Printer Options printcap name = /dev/null printing = bsd load printers = no #Security Options admin users = administrador lgiacchetta enable privileges = yes preferred master = yes lm announce = yes domain master = yes domain logons = yes encrypt passwords = yes pam password change = yes passdb backend = ldapsam:ldap://127.0.0.1 ldap://alem-ldap.jusbaires.gov.ar ldap://alem-systemlog.jusbaires.gov.ar; passwd chat debug = no check password script = /usr/local/bin/crackcheck -d /var/cache/cracklib/cracklib_dict unix charset = 850 dont descend = .recycle delete veto files = yes restrict anonymous = 1 #Profiles stuff logon script = netlogon.%U.bat logon path = \\PDC\profiles\%U logon home = \\PDC\personal logon drive = H: hide files = /Desktop.ini/desktop.ini/ hide dot files = yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] password strenght doubt
I think you'll find at least some of these are Windows Policies and would not be reflected in the smb.conf file. If you check the Samba Howto collection and the Samba by example documents at samba.org, you'll find examples of how to set some of the policies. To be honest, I've never gone beyond requiring password changes, minimum lengths and histories. :) Guido Lorenzutti wrote: Hi people! I have a few problems with the password strength in Samba. I have a PDC with LDAP on Debian Stable, with a few packages from backports. The problem is that I can't find a way to enforce strenght to the passwords of the users. I can't define a policy to force things like: number of uppercase letters, number of downcase letters, number of numbers in the password, to check the diference between the new and the old, to store a list of old passwords to check... I mean, things that are requiered to enforce some policy of security by my company. Bottom line? The users can put his username for password! Not even that is checked... It's something wrong in my setup or is a feature request? I see min password length.. but.. the rest? This is the important part of my setup: [global] #Network ID workgroup = JUSBAIRES netbios name = PDC netbios aliases = SERVER server string = #Logs debug level = 0 syslog = 0 log level = 0 log file = /var/log/samba/%m.%U.log max log size = 1 panic action = /usr/share/samba/panic-action %d #Network Support name resolve order = wins hosts lmhosts bcast socket options = TCP_NODELAY SO_RCVBUF=65535 SO_SNDBUF=65535 IPTOS_LOWDELAY SO_KEEPALIVE wins support = yes wins proxy = yes enhanced browsing = yes dns proxy = yes time server = yes local master = yes smb ports = 139 #LDAP ldap admin dn = uid=alem-fs2,ou=security,dc=jusbaires,dc=gov,dc=ar ldap suffix = dc=jusbaires,dc=gov,dc=ar ldap group suffix = ou=Group ldap user suffix = ou=People ldap machine suffix = ou=alem,ou=Computers ldap delete dn = no ldap passwd sync = yes #Printer Options printcap name = /dev/null printing = bsd load printers = no #Security Options admin users = administrador lgiacchetta enable privileges = yes preferred master = yes lm announce = yes domain master = yes domain logons = yes encrypt passwords = yes pam password change = yes passdb backend = ldapsam:ldap://127.0.0.1 ldap://alem-ldap.jusbaires.gov.ar ldap://alem-systemlog.jusbaires.gov.ar; passwd chat debug = no check password script = /usr/local/bin/crackcheck -d /var/cache/cracklib/cracklib_dict unix charset = 850 dont descend = .recycle delete veto files = yes restrict anonymous = 1 #Profiles stuff logon script = netlogon.%U.bat logon path = \\PDC\profiles\%U logon home = \\PDC\personal logon drive = H: hide files = /Desktop.ini/desktop.ini/ hide dot files = yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] password strenght doubt
Maybe I can do this with the check password script. But I only found the cracklib example. Anyone knows a way of doing this? Becouse the cracklib example only check agains a dictionary. Tnxs in advance. Gary Dale wrote: I think you'll find at least some of these are Windows Policies and would not be reflected in the smb.conf file. If you check the Samba Howto collection and the Samba by example documents at samba.org, you'll find examples of how to set some of the policies. To be honest, I've never gone beyond requiring password changes, minimum lengths and histories. :) Guido Lorenzutti wrote: Hi people! I have a few problems with the password strength in Samba. I have a PDC with LDAP on Debian Stable, with a few packages from backports. The problem is that I can't find a way to enforce strenght to the passwords of the users. I can't define a policy to force things like: number of uppercase letters, number of downcase letters, number of numbers in the password, to check the diference between the new and the old, to store a list of old passwords to check... I mean, things that are requiered to enforce some policy of security by my company. Bottom line? The users can put his username for password! Not even that is checked... It's something wrong in my setup or is a feature request? I see min password length.. but.. the rest? This is the important part of my setup: [global] #Network ID workgroup = JUSBAIRES netbios name = PDC netbios aliases = SERVER server string = #Logs debug level = 0 syslog = 0 log level = 0 log file = /var/log/samba/%m.%U.log max log size = 1 panic action = /usr/share/samba/panic-action %d #Network Support name resolve order = wins hosts lmhosts bcast socket options = TCP_NODELAY SO_RCVBUF=65535 SO_SNDBUF=65535 IPTOS_LOWDELAY SO_KEEPALIVE wins support = yes wins proxy = yes enhanced browsing = yes dns proxy = yes time server = yes local master = yes smb ports = 139 #LDAP ldap admin dn = uid=alem-fs2,ou=security,dc=jusbaires,dc=gov,dc=ar ldap suffix = dc=jusbaires,dc=gov,dc=ar ldap group suffix = ou=Group ldap user suffix = ou=People ldap machine suffix = ou=alem,ou=Computers ldap delete dn = no ldap passwd sync = yes #Printer Options printcap name = /dev/null printing = bsd load printers = no #Security Options admin users = administrador lgiacchetta enable privileges = yes preferred master = yes lm announce = yes domain master = yes domain logons = yes encrypt passwords = yes pam password change = yes passdb backend = ldapsam:ldap://127.0.0.1 ldap://alem-ldap.jusbaires.gov.ar ldap://alem-systemlog.jusbaires.gov.ar; passwd chat debug = no check password script = /usr/local/bin/crackcheck -d /var/cache/cracklib/cracklib_dict unix charset = 850 dont descend = .recycle delete veto files = yes restrict anonymous = 1 #Profiles stuff logon script = netlogon.%U.bat logon path = \\PDC\profiles\%U logon home = \\PDC\personal logon drive = H: hide files = /Desktop.ini/desktop.ini/ hide dot files = yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] password strenght doubt
Hi Guido, There are a set of ways to accomplish such task. Some I use is: 1) Set obey pam restrictions = yes in the smb.conf file. 2) Set check password script = /usr/sbin/crackcheck -d /usr/lib/cracklib_dict This check the user password against a dictionary. Crackcheck can be downloaded from samba (http://people.samba.org/bzr/mwxia/samba-soc/examples/auth/crackcheck/). The cracklib package must be installed for the dictionary to work. 3) Use pam pam_cracklib to set your password rules for lower/upper characters, numbers, special characters, etc: passwordrequisite /lib/security/$ISA/pam_cracklib.so retry=3 minlen=8 difok=3 dcredit=-1 lcredit=-1 Or pam_passwdqc for the same thing: passwordrequisite/lib/security/$ISA/pam_passwdqc.so min=disable,8,8,8,8 max=25 passphrase=0 match=6 similar=deny random=64 enforce=users retry=3 See the man pages for correct options values. 4) You can block users after X retries using pam pam_tally.so, but I haven't tried this yet. I think this can help you. On 12/26/06, Guido Lorenzutti [EMAIL PROTECTED] wrote: Maybe I can do this with the check password script. But I only found the cracklib example. Anyone knows a way of doing this? Becouse the cracklib example only check agains a dictionary. Tnxs in advance. Gary Dale wrote: I think you'll find at least some of these are Windows Policies and would not be reflected in the smb.conf file. If you check the Samba Howto collection and the Samba by example documents at samba.org, you'll find examples of how to set some of the policies. To be honest, I've never gone beyond requiring password changes, minimum lengths and histories. :) Guido Lorenzutti wrote: Hi people! I have a few problems with the password strength in Samba. I have a PDC with LDAP on Debian Stable, with a few packages from backports. The problem is that I can't find a way to enforce strenght to the passwords of the users. I can't define a policy to force things like: number of uppercase letters, number of downcase letters, number of numbers in the password, to check the diference between the new and the old, to store a list of old passwords to check... I mean, things that are requiered to enforce some policy of security by my company. Bottom line? The users can put his username for password! Not even that is checked... It's something wrong in my setup or is a feature request? I see min password length.. but.. the rest? This is the important part of my setup: [global] #Network ID workgroup = JUSBAIRES netbios name = PDC netbios aliases = SERVER server string = #Logs debug level = 0 syslog = 0 log level = 0 log file = /var/log/samba/%m.%U.log max log size = 1 panic action = /usr/share/samba/panic-action %d #Network Support name resolve order = wins hosts lmhosts bcast socket options = TCP_NODELAY SO_RCVBUF=65535 SO_SNDBUF=65535 IPTOS_LOWDELAY SO_KEEPALIVE wins support = yes wins proxy = yes enhanced browsing = yes dns proxy = yes time server = yes local master = yes smb ports = 139 #LDAP ldap admin dn = uid=alem-fs2,ou=security,dc=jusbaires,dc=gov,dc=ar ldap suffix = dc=jusbaires,dc=gov,dc=ar ldap group suffix = ou=Group ldap user suffix = ou=People ldap machine suffix = ou=alem,ou=Computers ldap delete dn = no ldap passwd sync = yes #Printer Options printcap name = /dev/null printing = bsd load printers = no #Security Options admin users = administrador lgiacchetta enable privileges = yes preferred master = yes lm announce = yes domain master = yes domain logons = yes encrypt passwords = yes pam password change = yes passdb backend = ldapsam:ldap://127.0.0.1 ldap://alem-ldap.jusbaires.gov.ar ldap://alem-systemlog.jusbaires.gov.ar; passwd chat debug = no check password script = /usr/local/bin/crackcheck -d /var/cache/cracklib/cracklib_dict unix charset = 850 dont descend = .recycle delete veto files = yes restrict anonymous = 1 #Profiles stuff logon script = netlogon.%U.bat logon path = \\PDC\profiles\%U logon home = \\PDC\personal logon drive = H: hide files = /Desktop.ini/desktop.ini/ hide dot files = yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- *** Cleber P. de Souza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] password strenght doubt
Guido Lorenzutti wrote: Maybe I can do this with the check password script. But I only found the cracklib example. Anyone knows a way of doing this? Becouse the cracklib example only check agains a dictionary. Tnxs in advance. Just make a simple script that can check the input password must be the combination of UPPERCASE, lowercase,numb3rs and other sp3c1a!ch4r4ct3r#. --beast -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
