[Samba] Domain password policy with Samba AD DC

[Rowland Penny]

On Wed, 6 Sep 2023 07:50:20 -0600
David Mulder via samba <samba at lists.samba.org> wrote:

> 
> On 9/6/23 6:53 AM, Rowland Penny via samba wrote:
> >
> > Hello David, I thought you might be away on holiday, so didn't
> > really push this after my initial testing.
> >
> > How does Windows do this, I doubt if it is using a Linux cache file.
> >  From my testing, GPME will alter the default domain policy, but
> > Samba doesn't seem to write these changes to AD, it also doesn't
> > update/create the cache file.
> The cache file only gets updated if that GPO version number is
> updated (which `samba-tool gpo manage` failed to do in some instances
> until recently, again see
> https://bugzilla.samba.org/show_bug.cgi?id=15327).
> > I am not an expert on GPOs (very far from one), but shouldn't the
> > cache file only be created on a Unix domain member and is there a
> > different GPO to set password properties on a Unix domain member ?
> These password policies are only meant to be applied to Domain 
> Controllers (you apply the password policy to the DC, then the domain 
> members must abide by that policy because the DC is now enforcing
> it). This policy never applies to a domain member unless it is a DC.

I was trying to change the default domain policy with GPME and it was
writing to Sysvol
 
> > What I am trying to say is, if you set the password attributes with
> > GPME, shouldn't that GPO write to AD ?
> The GPME modifies files on the SYSVOL. I'm not sure what you mean by 
> "shouldn't that GPO write to AD".

OK, read that as 'altering the password attributes in AD', which is
what samba-tool does.

Or to put it another way, you change a password setting in GPME, this
results in the default domain policy GPO in Sysvol being updated, so
far so good. There doesn't seem to be anything to read the GPO changes
and alter the required attributes in AD.

Rowland