[Samba] Domain password policy with Samba AD DC

[Peter Milesson]

On 06.09.2023 13:51, David Mulder via samba wrote:
>
> On 8/28/23 1:45 AM, Peter Milesson via samba wrote:
>>
>>
>> Many thanks for the information. I guess, which of the methods for 
>> setting password policies depends on local conditions, and admin 
>> preferences and experience. In a mainly Windows oriented domain, 
>> setting things through the GPMC would be the preferred way, and in a 
>> mixed, or Linux oriented domain, with samba-tool.
> The samba-tool command for setting password policies is simply setting 
> the same value that the GPME does. So it doesn't matter at all which 
> you use for this. You need to make sure you set the password policy on 
> the `Default Domain Controller Policy`. Then you need to enable group 
> policy on the *domain controller*, via the "apply group policies" 
> setting, as mentioned previously.
>>
>> What I pointed out in my original post was, the absence of 
>> information about GPO handling in the Samba wiki, when setting up a 
>> new AD DC. IMHO this information is absolutely essential for 
>> successful domain operations with Windows. Even in a fairly small 
>> domain with a Samba AD DC, a server (Samba or Windows), and a few 
>> workstations, operations will be quite impaired without applying at 
>> least a few essential GPOs. In my particular case, folder 
>> redirection, and a few other things. I couldn't imagine setting up 
>> the domain without GPOs, and it would end up in a horrible mess.
> Sounds like a documentation issue. We should add these details to the 
> wiki page you were following.
>>
>> So, just a few lines and a link to the GPO wiki page in the 
>> instructions for setting up a Samba AD DC, will be sufficient. In the 
>> GPO wiki page, your information about the "apply group policies" 
>> should not be missing, as well as a link to David Mulder's GPO 
>> "bible" (https://dmulder.github.io/group-policy-book/sec.html), which 
>> Rowland kindly pointed out.
>>
Hi David,

I just tested according to your instruction.

Logging in as Administrator at testdom.talps and setting password policies 
with GPME on Default Domain Controller Policies (specifically minimum 
password length = 5). Then through a cmd prompt with raised privileges 
gpupdate /force. Log out. Restart Samba AD DC. Running a sysvolcheck 
with no errors.

Does still not work. It's still the settings made with samba-tool domain 
passwordsettings (minimum password length = 4) that decides the password 
policies.

I have also tried setting password policies on Default Domain Policies. 
No juice.

What I get from samba-tool domain passwordpolicies show is:

Password information for domain 'DC=testdom,DC=talps'

Password complexity: on
Store plaintext passwords: off
Password history length: 0
Minimum password length: 4
Minimum password age (days): 0
Maximum password age (days): 0
Account lockout duration (mins): 30
Account lockout threshold (attempts): 0
Reset account lockout after (mins): 30


My smb.conf

# Global parameters
[global]
         dns forwarder = xxx.xxx.xxx.xxx
         netbios name = TESTADC1
         realm = TESTDOM.TALPS
         server role = active directory domain controller
         workgroup = TESTDOM
         idmap_ldb:use rfc2307 = yes
         apply group policies = yes

[sysvol]
         path = /var/lib/samba/sysvol
         read only = No

[netlogon]
         path = /var/lib/samba/sysvol/testdom.talps/scripts
         read only = No

As I previously stated, it's just a nuisance, you probably set password 
policies once, or very seldom. It would be nice if it worked as in a 
Windows AD DC.

Best regards,

Peter