[Samba] Confusion about account locking policy (Samba AD/Windows 7 client)
mathias dufresne
infractory at gmail.com
Tue Dec 8 16:45:50 UTC 2015
I just can't reply to your question as I have not this information. I don't
know how Samba works, I've got feelings about how it works : )
And as my MS world knowledge is just worst, I can't rely on it to tell you
how Windows generate its passwords policy.
How I think it works is:
you configure password policy using samba-tool
samba modifies the default domain policy (not tested, even if it's easy
enough)
windows client get the new policy when gpupdate is launched or at boot time
(because password policy is computer policy and this because there is
nothing in Samba to manage that account by account)
Just feelings...
2015-12-08 17:29 GMT+01:00 Ole Traupe <ole.traupe at tu-berlin.de>:
> As far as I understand Samba and the wiki in this regard, the Samba4 DC's
> password policy is no typical domain policy (no GPO). It can't be inherited
> by Windows clients. So I suspect the full story to be:
>
> - on the Unix side (DC and member server) the Samba password rules apply
> - on the Windows client side the inherited Windows POLICIES apply (as far
> as possible)
>
> In effect, if e.g. password lockout threshold is configured differently on
> Samba DC and Windows clients, the lower threshold of the two will determine
> the behavior of the domain (on Windows clients).
>
> Does that sound reasonable?
>
> Ole
>
>
>
> Am 08.12.2015 um 17:06 schrieb mathias dufresne:
>
>> I expect you already did that but in case of... did you rebooted your
>> Windows client to apply new Computer's GPO (or use gpupdate MS tool)?
>>
>> 2015-12-08 16:54 GMT+01:00 Ole Traupe <ole.traupe at tu-berlin.de>:
>>
>> Hi,
>>>
>>> here on the wiki
>>>
>>>
>>> https://wiki.samba.org/index.php/FAQ#Is_it_possible_to_set_user_specific_password_policies_in_Samba4_.28e._g._on_a_OU-base.29.3F
>>> I read this:
>>>
>>>
>>> "Is it possible to set user specific password policies in Samba4 (e.
>>> g. on a OU-base)?
>>>
>>> Samba can't handle GPO restrictions. You have to use 'samba-tool domain
>>> passwordsettings' to change password policies. But this only applies on
>>> domain level."
>>>
>>> So, I have set my account lockout policy on the Samba4 DC to '5'
>>> incorrect
>>> attempts. However, on a Windows 7 client it needs only 3 invalid attempts
>>> to get the account locked out (tested on 3 different machines). And on
>>> domain join it seems only to need 1 invalid attempt.
>>>
>>> What is the full story here?
>>>
>>> Ole
>>>
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list