Re: [Samba] Forcing Users to change passwords.
On Wed, 2003-12-24 at 22:01, Andrew Bartlett wrote: > On Fri, 2003-12-12 at 21:23, Todd O'Bryan wrote: > > Does anyone know of an add-on you can use with a Windows domain to > > check the security of the password before it allows a change? With a > > terminal server system I had, the server complained if the password was > > too close to a dictionary word, too close to the student login, 7 > > digits (i.e., looked like a phone number), etc. > > > > I'm sure my students (I teach high school, too) have picked really bad > > passwords, too, but I have no good way to enforce the picking of good > > ones. > > > > Todd > > > > On Dec 12, 2003, at 3:30 AM, Ross McInnes (Systems) wrote: > > > > > i totally agree. unfortunatly my user base is mostly 16-18 year olds. > > > getting them to put anything other than thier football team, phone > > > number > > > or boyfriend/girlfriend's name is quite a task in it self. > > > > > Charming, aren't they ;-) > > I build my samba with: > > #!/bin/sh > LIBS="-lcrack" CFLAGS="-g" ./configure --with-utmp --with-pam > --with-quotas --with-tdbsam --with-ldapsam --with-syslog > > And use the attached patch to enforce 'cracklib' strength passwords. This time, it's attached (I hope). > We can't include this directly in Samba, as cracklib is not under a > GPL-compatible licence :-( > > Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Forcing Users to change passwords.
On Fri, 2003-12-12 at 21:23, Todd O'Bryan wrote: > Does anyone know of an add-on you can use with a Windows domain to > check the security of the password before it allows a change? With a > terminal server system I had, the server complained if the password was > too close to a dictionary word, too close to the student login, 7 > digits (i.e., looked like a phone number), etc. > > I'm sure my students (I teach high school, too) have picked really bad > passwords, too, but I have no good way to enforce the picking of good > ones. > > Todd > > On Dec 12, 2003, at 3:30 AM, Ross McInnes (Systems) wrote: > > > i totally agree. unfortunatly my user base is mostly 16-18 year olds. > > getting them to put anything other than thier football team, phone > > number > > or boyfriend/girlfriend's name is quite a task in it self. > > Charming, aren't they ;-) I build my samba with: #!/bin/sh LIBS="-lcrack" CFLAGS="-g" ./configure --with-utmp --with-pam --with-quotas --with-tdbsam --with-ldapsam --with-syslog And use the attached patch to enforce 'cracklib' strength passwords. We can't include this directly in Samba, as cracklib is not under a GPL-compatible licence :-( Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Forcing Users to change passwords.
On Thu, 2003-12-11 at 00:28, Ross McInnes (Systems) wrote: > Recently we were audited and as part of that they looked at our systems > and policies etc and produced a report. > > As part of that report they mentioned about forcing users to change thier > passwords every 90 days or so. Samba 3.0 allows this, use pdbedit to set the "max password age" to the number of seconds in 90 days. pdbedit -P "maximum password age" --value=7776000 > They also mentioned about disabling accounts after 3 login attempts. There is (slow) work to implement this, I know jra gets very excited about it every now and then, but it's currently still at patch stage, see efforts on the samba-technical list archives. > Im pretty sure both can be done on NT, but id rather stick with rh and > samba thanks ever so much. > > Can samba does these things? even if its a tinkering kind of job? Samba can do most things, it's just a matter of how much tinkering ;-) Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Forcing Users to change passwords.
On Fri, 12 Dec 2003, Todd O'Bryan wrote: > Does anyone know of an add-on you can use with a Windows domain to > check the security of the password before it allows a change? With a > terminal server system I had, the server complained if the password was > too close to a dictionary word, too close to the student login, 7 > digits (i.e., looked like a phone number), etc. > > I'm sure my students (I teach high school, too) have picked really bad > passwords, too, but I have no good way to enforce the picking of good > ones. I wouldn't worry about that: My students either forget their passwords automatically after 90 days or they tell them their 15 best friends. The only real security problem are my colleagues: they write them on the cover of their calendars. Better watch out which permissions you give to whom. Regards, Uli. > > Todd > > On Dec 12, 2003, at 3:30 AM, Ross McInnes (Systems) wrote: > > > i totally agree. unfortunatly my user base is mostly 16-18 year olds. > > getting them to put anything other than thier football team, phone > > number > > or boyfriend/girlfriend's name is quite a task in it self. > > > > Many Thanks > > > > Ross McInnes > > > > On Wed, 10 Dec 2003, Todd O'Bryan wrote: > > > >> What's the latest research on this? I heard it's better to make users > >> pick something secure and stick with it, because if you force people > >> to > >> change, they're likely to pick less secure passwords and do stupid > >> things with them, like write them down or something. Changing every 3 > >> months doesn't seem terrible, but it's still a big pain. > >> > >> Todd O'Bryan > >> On Dec 10, 2003, at 8:28 AM, Ross McInnes (Systems) wrote: > >> > >>> Recently we were audited and as part of that they looked at our > >>> systems > >>> and policies etc and produced a report. > >>> > >>> As part of that report they mentioned about forcing users to change > >>> thier > >>> passwords every 90 days or so. > >>> > >>> They also mentioned about disabling accounts after 3 login attempts. > >>> > >>> Im pretty sure both can be done on NT, but id rather stick with rh > >>> and > >>> samba thanks ever so much. > >>> > >>> Can samba does these things? even if its a tinkering kind of job? > >>> > >>> Many thanks > >>> > >>> Ross McInnes > >>> > >>> -- > >>> To unsubscribe from this list go to the following URL and read the > >>> instructions: http://lists.samba.org/mailman/listinfo/samba > >> > >> > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba > +-+ | Peter Ulrich Kruppa | | - Wuppertal - | | Germany | +-+ -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Forcing Users to change passwords.
Does anyone know of an add-on you can use with a Windows domain to check the security of the password before it allows a change? With a terminal server system I had, the server complained if the password was too close to a dictionary word, too close to the student login, 7 digits (i.e., looked like a phone number), etc. I'm sure my students (I teach high school, too) have picked really bad passwords, too, but I have no good way to enforce the picking of good ones. Todd On Dec 12, 2003, at 3:30 AM, Ross McInnes (Systems) wrote: i totally agree. unfortunatly my user base is mostly 16-18 year olds. getting them to put anything other than thier football team, phone number or boyfriend/girlfriend's name is quite a task in it self. Many Thanks Ross McInnes On Wed, 10 Dec 2003, Todd O'Bryan wrote: What's the latest research on this? I heard it's better to make users pick something secure and stick with it, because if you force people to change, they're likely to pick less secure passwords and do stupid things with them, like write them down or something. Changing every 3 months doesn't seem terrible, but it's still a big pain. Todd O'Bryan On Dec 10, 2003, at 8:28 AM, Ross McInnes (Systems) wrote: Recently we were audited and as part of that they looked at our systems and policies etc and produced a report. As part of that report they mentioned about forcing users to change thier passwords every 90 days or so. They also mentioned about disabling accounts after 3 login attempts. Im pretty sure both can be done on NT, but id rather stick with rh and samba thanks ever so much. Can samba does these things? even if its a tinkering kind of job? Many thanks Ross McInnes -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Forcing Users to change passwords.
i totally agree. unfortunatly my user base is mostly 16-18 year olds. getting them to put anything other than thier football team, phone number or boyfriend/girlfriend's name is quite a task in it self. Many Thanks Ross McInnes On Wed, 10 Dec 2003, Todd O'Bryan wrote: > What's the latest research on this? I heard it's better to make users > pick something secure and stick with it, because if you force people to > change, they're likely to pick less secure passwords and do stupid > things with them, like write them down or something. Changing every 3 > months doesn't seem terrible, but it's still a big pain. > > Todd O'Bryan > On Dec 10, 2003, at 8:28 AM, Ross McInnes (Systems) wrote: > > > Recently we were audited and as part of that they looked at our systems > > and policies etc and produced a report. > > > > As part of that report they mentioned about forcing users to change > > thier > > passwords every 90 days or so. > > > > They also mentioned about disabling accounts after 3 login attempts. > > > > Im pretty sure both can be done on NT, but id rather stick with rh and > > samba thanks ever so much. > > > > Can samba does these things? even if its a tinkering kind of job? > > > > Many thanks > > > > Ross McInnes > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: http://lists.samba.org/mailman/listinfo/samba > > -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Forcing Users to change passwords.
Hello, This is great information. I have been using tbdsam as a backend and I have been unable to get the pdbedit -P "bad lockout attempt" -C XXX to be enforced. When I set the attribute it seems that I can try to login as many times as I want. Any help out there? > Hi, > > Samba-3 with LDAP backend is capable in this. I'm using it and it works. > All you have to do, is to use LDAP and set proper account policies: > > $ pdbedit -P "bad lockout attempt" -C 5 > (after 5 wrong password, user account will be locked out - samba sets > password hashes to ***NOPASSWORD*** and user is unable to logon). > > $ pdbedit -P "min password length" -C 9 > > # password age 90 days > $ pdbedit -P "maximum password age" -C 7776000 > Samba takes age in seconds, so 60*60*24*90, is what you need. > Remember, that the user has to change his/her password from workstation > once, then policy takes effect. Another way is to manually change users > "sambaPwdMustChange" value to "0", so user is forced to change password on > next logon. After password change, new "sambaPwdMustChange" will be set, > with timestamp 90 days forward. > > $ pdbedit -P "password history" -C 3 > Doesn't work. Andrew said, it isn't implemented yet. Samba doesn't store > password history... I don't know how it should be done, but it would be > very > nice to have it. > > regards, > > Rauno Tuul > >> On Dec 10, 2003, at 8:28 AM, Ross McInnes (Systems) wrote: >> >> > Recently we were audited and as part of that they looked at >> our systems >> > and policies etc and produced a report. >> > >> > As part of that report they mentioned about forcing users to change >> > thier >> > passwords every 90 days or so. >> > They also mentioned about disabling accounts after 3 login attempts. >> > >> > Im pretty sure both can be done on NT, but id rather stick >> with rh and >> > samba thanks ever so much. >> > Can samba does these things? even if its a tinkering kind of job? > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba > -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Forcing Users to change passwords.
Hi, Samba-3 with LDAP backend is capable in this. I'm using it and it works. All you have to do, is to use LDAP and set proper account policies: $ pdbedit -P "bad lockout attempt" -C 5 (after 5 wrong password, user account will be locked out - samba sets password hashes to ***NOPASSWORD*** and user is unable to logon). $ pdbedit -P "min password length" -C 9 # password age 90 days $ pdbedit -P "maximum password age" -C 7776000 Samba takes age in seconds, so 60*60*24*90, is what you need. Remember, that the user has to change his/her password from workstation once, then policy takes effect. Another way is to manually change users "sambaPwdMustChange" value to "0", so user is forced to change password on next logon. After password change, new "sambaPwdMustChange" will be set, with timestamp 90 days forward. $ pdbedit -P "password history" -C 3 Doesn't work. Andrew said, it isn't implemented yet. Samba doesn't store password history... I don't know how it should be done, but it would be very nice to have it. regards, Rauno Tuul > On Dec 10, 2003, at 8:28 AM, Ross McInnes (Systems) wrote: > > > Recently we were audited and as part of that they looked at > our systems > > and policies etc and produced a report. > > > > As part of that report they mentioned about forcing users to change > > thier > > passwords every 90 days or so. > > They also mentioned about disabling accounts after 3 login attempts. > > > > Im pretty sure both can be done on NT, but id rather stick > with rh and > > samba thanks ever so much. > > Can samba does these things? even if its a tinkering kind of job? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Forcing Users to change passwords.
What's the latest research on this? I heard it's better to make users pick something secure and stick with it, because if you force people to change, they're likely to pick less secure passwords and do stupid things with them, like write them down or something. Changing every 3 months doesn't seem terrible, but it's still a big pain. Todd O'Bryan On Dec 10, 2003, at 8:28 AM, Ross McInnes (Systems) wrote: Recently we were audited and as part of that they looked at our systems and policies etc and produced a report. As part of that report they mentioned about forcing users to change thier passwords every 90 days or so. They also mentioned about disabling accounts after 3 login attempts. Im pretty sure both can be done on NT, but id rather stick with rh and samba thanks ever so much. Can samba does these things? even if its a tinkering kind of job? Many thanks Ross McInnes -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
