[Samba] Domain password policy with Samba AD DC

David Mulder dmulder at samba.org
Wed Sep 6 16:59:29 UTC 2023 

So, now I'm confused. This output shows it working exactly as intended.

The rsop shows that you set the following policy on the sysvol:

> samba-gpupdate --rsop --target=Computer
>
> Resultant Set of Policy
> Computer Policy
>
> GPO: Default Domain Policy
> ================================================================================================================================ 
>
>   CSE: gp_access_ext
>   ----------------------------------------------------------------
>     Policy Type: System Access
> ----------------------------------------------------------------
>     [ MinimumPasswordAge ] =         0
>     [ MaximumPasswordAge ] =         -1
>     [ MinimumPasswordLength ] =         6
> ----------------------------------------------------------------
>   ----------------------------------------------------------------
And forcing the policy to apply shows that it clearly (well, maybe not 
so clearly) did what you asked it to do:
> samba-gpupdate -d5 --force --target=Computer
>
> DSDB Change [Modify] at [Wed, 06 Sep 2023 18:40:28.046297 CEST] status 
> [Success] remote host [Unknown] SID [S-1-5-18] DN 
> [DC=testdom,DC=talps] attributes [replace: minPwdAge [0]]
> {"timestamp": "2023-09-06T18:40:28.046428+0200", "type": "dsdbChange", 
> "dsdbChange": {"version": {"major": 1, "minor": 0}, "statusCode": 0, 
> "status": "Success", "operation": "Modify", "remoteAddress": null, 
> "performedAsSystem": false, "userSid": "S-1-5-18", "dn": 
> "DC=testdom,DC=talps", "transactionId": 
> "66a336b7-9d1d-4dc1-aa64-5c0363dc0d49", "sessionId": 
> "ef55011d-425b-4687-b6f9-f929bfc5eb29", "attributes": {"minPwdAge": 
> {"actions": [{"action": "replace", "values": [{"value": "0"}]}]}}}}
>
> DSDB Change [Modify] at [Wed, 06 Sep 2023 18:40:28.052847 CEST] status 
> [Success] remote host [Unknown] SID [S-1-5-18] DN 
> [DC=testdom,DC=talps] attributes [replace: maxPwdAge [864000000000]]
> {"timestamp": "2023-09-06T18:40:28.052922+0200", "type": "dsdbChange", 
> "dsdbChange": {"version": {"major": 1, "minor": 0}, "statusCode": 0, 
> "status": "Success", "operation": "Modify", "remoteAddress": null, 
> "performedAsSystem": false, "userSid": "S-1-5-18", "dn": 
> "DC=testdom,DC=talps", "transactionId": 
> "e51e13d3-0922-4142-a5a5-a115ed7e5183", "sessionId": 
> "ef55011d-425b-4687-b6f9-f929bfc5eb29", "attributes": {"maxPwdAge": 
> {"actions": [{"action": "replace", "values": [{"value": 
> "864000000000"}]}]}}}}
>
> DSDB Change [Modify] at [Wed, 06 Sep 2023 18:40:28.058667 CEST] status 
> [Success] remote host [Unknown] SID [S-1-5-18] DN 
> [DC=testdom,DC=talps] attributes [replace: minPwdLength [6]]
> {"timestamp": "2023-09-06T18:40:28.058717+0200", "type": "dsdbChange", 
> "dsdbChange": {"version": {"major": 1, "minor": 0}, "statusCode": 0, 
> "status": "Success", "operation": "Modify", "remoteAddress": null, 
> "performedAsSystem": false, "userSid": "S-1-5-18", "dn": 
> "DC=testdom,DC=talps", "transactionId": 
> "86efea8f-c624-455d-a7c8-2fd519389f73", "sessionId": 
> "ef55011d-425b-4687-b6f9-f929bfc5eb29", "attributes": {"minPwdLength": 
> {"actions": [{"action": "replace", "values": [{"value": "6"}]}]}}}}
>
Note the `replace: minPwdAge [0]`, `replace: maxPwdAge [864000000000]` 
(-1), and `replace: minPwdLength [6]`.

This is working as intended, as far as I can tell. So, what's the 
problem that I'm not understanding?

-- 
David Mulder
Labs Software Engineer, Samba
SUSE
1221 S Valley Grove Way, Suite 500
Pleasant Grove, UT 84062
(P)+1 385.208.2989
dmulder at suse.com
http://www.suse.com

More information about the samba mailing list