RHEL4 ES as a PDC and changing passwords.

Binyon, Steve CTR USAF ACC 705 CTS/ASRCC Steve.Binyon at kirtland.af.mil
Thu Aug 28 14:46:46 UTC 2008 

Hello,
I've set up a small isolated node of systems (4 Windows 2000 and 4
RHEL-WS and 1 RHEL ES, V4 update 2).  I've set up the Samba on the RHEL4
ES as a PDC and NIS master and is working great except for one thing,
changing passwords on the Windows systems doesn't seem to abide by the
cracklib rules I specified.  Here is the system-auth entries for
password:

password   requisite /lib/security/$ISA/pam_cracklib.so retry=3 \
		dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8
password   sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok
\
		md5 shadow nis remember=8
password   required /lib/security/$ISA/pam_deny.so

for smb.conf I use:

unix password sync = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* &n\n
passwd:*all*authentication*tokens*updated*successfully*


In the syslog when changing the password (using a invalid password of
12345678) on the windows system is gives:

Aug26 18:55:18 mslserver rpc.yppasswdd [3205]: update steveb (uid=1010)
from host 127.0.0.1 rejected
Aug16 18:55:18 mslserver rpc.yppasswdd [3205]: invalid password
Aug26 18:55:18 mslserver passwd (pam_unix) [15011]: password not changed
for steveb on mslserver.
Aug26 18:55:18 mslserver passwd (pam_unix) [15011]: password changed for
steveb.

Windows comes back with 'Your password has been changed'.  And the
password has been changed for both the Windows systems and the Linux
systems.  If I change the password on a Linux system (using passwd), the
use of '123456789' will fail (too simplistic).  So it appears that the
pam rules work as it should if changing the password on a linux system,
but not from a Windows system.  Since Samba is using the Linux passwd to
change passwords, then I was thinking that it would fail on simplistic
passwords.  Why is this not doing what I was expecting?

Smb.conf man page states that the unix password is changed first before
smbpasword, therefore if the unix password fails, then smbd will fail to
change the SMB password file.  

>From the syslog, it appears that it does fail, but for some reason, it
gets changed.  

How can I get this to work?

Note: These systems are not on the internet, and the above was typed in
by hand.

Thanks.

Steve

More information about the redhat-list mailing list