Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] check password script for samba 4 ad dc
209 views
Skip to first unread message
Krutskikh Ivan
May 26, 2015, 11:30:04 PM5/26/15
to
Hi everyone,
A quick question: Is check password script option working for ad dc setup?
I believe, ad on it's own cannot provide password protection against
dictionaries.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
A quick question: Is check password script option working for ad dc setup?
I believe, ad on it's own cannot provide password protection against
dictionaries.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Krutskikh Ivan
May 27, 2015, 3:30:03 AM5/27/15
to
Hmm, looks like it's not. I've just set the password for something that
cracklib-check would argue using both ad management tools and at windows
login. Should it work that way or I'm missing something?
My dc's smb.conf:
[global]
workgroup = KURSK
realm = KURSK.MTT
netbios name = DEBIAN-DC
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
idmap_ldb:use rfc2307 = yes
check password script = /usr/sbin/cracklib-check
log level = 4
[netlogon]
path = /usr/local/samba/var/locks/sysvol/kursk.mtt/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
logs log.samba for passwd change:
[2015/05/27 10:09:07.604309, 3]
../source4/rpc_server/drsuapi/dcesrv_drsuapi.c:74(dcesrv_drsuapi_DsBind)
../source4/rpc_server/drsuapi/dcesrv_drsuapi.c:74: doing DsBind with
system_session
[2015/05/27 10:09:07.617789, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: TGS-REQ Admini...@KURSK.MTT from ipv4:192.168.1.204:50304
for kadmin/chan...@KURSK.MTT [canonicalize, renewable, forwardable]
[2015/05/27 10:09:07.631380, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: TGS-REQ authtime: 2015-05-27T10:03:06 starttime:
2015-05-27T10:09:07 endtime: 2015-05-27T20:03:06 renew till:
2015-06-03T10:03:06
[2015/05/27 10:09:07.633241, 3]
../source4/smbd/service_stream.c:66(stream_terminate_connection)
Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv()
- NT_STATUS_CONNECTION_DISCONNECTED'
[2015/05/27 10:09:07.633707, 3]
../source4/smbd/process_single.c:114(single_terminate)
single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv()
- NT_STATUS_CONNECTION_DISCONNECTED]
[2015/05/27 10:09:07.642900, 3]
../auth/kerberos/kerberos_pac.c:386(kerberos_decode_pac)
Found account name from PAC: Administrator []
[2015/05/27 10:09:07.660999, 3]
../source4/kdc/kpasswdd.c:375(kpasswd_process_request)
KURSK\Administrator (S-1-5-21-1939327600-330022255-2124521309-500) is
changing password of xvie...@kursk.mtt
[2015/05/27 10:09:07.841347, 3]
../source4/smbd/service_stream.c:66(stream_terminate_connection)
cracklib-check would argue using both ad management tools and at windows
login. Should it work that way or I'm missing something?
My dc's smb.conf:
[global]
workgroup = KURSK
realm = KURSK.MTT
netbios name = DEBIAN-DC
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
idmap_ldb:use rfc2307 = yes
check password script = /usr/sbin/cracklib-check
log level = 4
[netlogon]
path = /usr/local/samba/var/locks/sysvol/kursk.mtt/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
logs log.samba for passwd change:
[2015/05/27 10:09:07.604309, 3]
../source4/rpc_server/drsuapi/dcesrv_drsuapi.c:74(dcesrv_drsuapi_DsBind)
../source4/rpc_server/drsuapi/dcesrv_drsuapi.c:74: doing DsBind with
system_session
[2015/05/27 10:09:07.617789, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: TGS-REQ Admini...@KURSK.MTT from ipv4:192.168.1.204:50304
for kadmin/chan...@KURSK.MTT [canonicalize, renewable, forwardable]
[2015/05/27 10:09:07.631380, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: TGS-REQ authtime: 2015-05-27T10:03:06 starttime:
2015-05-27T10:09:07 endtime: 2015-05-27T20:03:06 renew till:
2015-06-03T10:03:06
[2015/05/27 10:09:07.633241, 3]
../source4/smbd/service_stream.c:66(stream_terminate_connection)
Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv()
- NT_STATUS_CONNECTION_DISCONNECTED'
[2015/05/27 10:09:07.633707, 3]
../source4/smbd/process_single.c:114(single_terminate)
single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv()
- NT_STATUS_CONNECTION_DISCONNECTED]
[2015/05/27 10:09:07.642900, 3]
../auth/kerberos/kerberos_pac.c:386(kerberos_decode_pac)
Found account name from PAC: Administrator []
[2015/05/27 10:09:07.660999, 3]
../source4/kdc/kpasswdd.c:375(kpasswd_process_request)
KURSK\Administrator (S-1-5-21-1939327600-330022255-2124521309-500) is
changing password of xvie...@kursk.mtt
[2015/05/27 10:09:07.841347, 3]
../source4/smbd/service_stream.c:66(stream_terminate_connection)
Krutskikh Ivan
May 27, 2015, 1:30:03 PM5/27/15
to
I would like to bump my question
Krutskikh Ivan
May 27, 2015, 5:10:03 PM5/27/15
to
Update:
I found out that cracklib-check does not return correct exit codes for good
and bad passwords, so I've made a quick python draft that exits with 0 on
complex password and with 1 on simple. But that didn't make any difference
to samba =(
I found out that cracklib-check does not return correct exit codes for good
and bad passwords, so I've made a quick python draft that exits with 0 on
complex password and with 1 on simple. But that didn't make any difference
to samba =(
0 new messages