Make the pam_cracklib use similar (slight more restrict) policy that AD uses so cracklib will catch the 'bad' password before AD does. --Yu Wang Information Technology Services University of North Florida (904) 620-2820 > -----Original Message----- > From: pam-list-bounces@xxxxxxxxxx > [mailto:pam-list-bounces@xxxxxxxxxx]On > Behalf Of Lech Lachowicz > Sent: Thursday, February 10, 2005 3:38 AM > To: pam-list@xxxxxxxxxx > Subject: Password policy question [pam_krb5 problem] > > > Hello. > I'm trying to make users authenticate to Linux box through Active > Directory. > Everything works just fine, except changing passwords. I'm able to > change password from Linux box, but if I type password that > doesn't meet > the policy on AD server I get this in logs: > > Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: configured > realm 'MY.DOMAIN' > Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: flags: > Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: flag: no > ignore_afs > Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: flag: > user_check > Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: flag: > use_authtok > Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: flag: no > krb4_convert > Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: flag: warn > Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: ticket > lifetime: 0 > Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: renewable > lifetime: 0 > Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: banner: > Kerberos 5 > Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: ccache dir: > /tmp > Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: keytab: > /etc/krb5.keytab > Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: password > changed for lech.lachowicz@xxxxxxxxx > Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: obtaining > credentials using new password for 'lech.lachowicz@xxxxxxxxx' > Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: > authenticating > 'lech.lachowicz@xxxxxxxxx' to 'krbtgt/MY.DOMAIN@xxxxxxxxx' > Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: > krb5_get_init_creds_password(krbtgt/MY.DOMAIN@xxxxxxxxx) returned > -1765328360 (Preauthentication failed) > Feb 10 09:17:14 sandbender passwd[6075]: pam_krb5[6075]: pam_chauthtok > returning 0 (Success) > > And on user terminal: > > [lech.lachowicz@sandbender lech.lachowicz]$ passwd > Changing password for user lech.lachowicz. > Kerberos 5 Password: > New UNIX password: > Retype new UNIX password: > passwd: all authentication tokens updated successfully. > [lech.lachowicz@sandbender lech.lachowicz]$ > > Password is still the same. So my question is: what can I do to make > pam_krb5 report an error if the password policy isn't meet. > > My pam.d/passwd: > > password required pam_cracklib.so retry=3 minlen=6 dcredit=1 > ucredit= > password sufficient pam_unix.so nullok use_first_pass > md5 shadow > debug > password required pam_krb5.so use_authtok debug > > -- > Pozdrawiam, > Lech Lachowicz > > > > > _______________________________________________ > > Pam-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/pam-list > > _______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
