[Samba] Domain password policy with Samba AD DC
David Mulder
dmulder at samba.org
Wed Sep 6 16:26:33 UTC 2023
On 9/6/23 10:19 AM, Peter Milesson via samba wrote:
>
> I just tested according to your instruction.
>
> Logging in as Administrator at testdom.talps and setting password
> policies with GPME on Default Domain Controller Policies (specifically
> minimum password length = 5). Then through a cmd prompt with raised
> privileges gpupdate /force. Log out. Restart Samba AD DC. Running a
> sysvolcheck with no errors.
>
> Does still not work. It's still the settings made with samba-tool
> domain passwordsettings (minimum password length = 4) that decides the
> password policies.
>
> I have also tried setting password policies on Default Domain
> Policies. No juice.
>
> What I get from samba-tool domain passwordpolicies show is:
>
> Password information for domain 'DC=testdom,DC=talps'
>
> Password complexity: on
> Store plaintext passwords: off
> Password history length: 0
> Minimum password length: 4
> Minimum password age (days): 0
> Maximum password age (days): 0
> Account lockout duration (mins): 30
> Account lockout threshold (attempts): 0
> Reset account lockout after (mins): 30
>
>
> My smb.conf
>
> # Global parameters
> [global]
> dns forwarder = xxx.xxx.xxx.xxx
> netbios name = TESTADC1
> realm = TESTDOM.TALPS
> server role = active directory domain controller
> workgroup = TESTDOM
> idmap_ldb:use rfc2307 = yes
> apply group policies = yes
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> [netlogon]
> path = /var/lib/samba/sysvol/testdom.talps/scripts
> read only = No
>
> As I previously stated, it's just a nuisance, you probably set
> password policies once, or very seldom. It would be nice if it worked
> as in a Windows AD DC.
>
>
What's the output of these commends?
sudo samba-gpupdate --rsop --target=Computer
sudo samba-gpupdate -d5 --force --target=Computer
--
David Mulder
Labs Software Engineer, Samba
SUSE
1221 S Valley Grove Way, Suite 500
Pleasant Grove, UT 84062
(P)+1 385.208.2989
dmulder at suse.com
http://www.suse.com
More information about the samba
mailing list