[Samba] Domain password policy with Samba AD DC
Peter Milesson
miles at atmos.eu
Wed Sep 6 18:30:46 UTC 2023
On 06.09.2023 18:59, David Mulder via samba wrote:
> So, now I'm confused. This output shows it working exactly as intended.
>
> The rsop shows that you set the following policy on the sysvol:
>
>> samba-gpupdate --rsop --target=Computer
>>
>> Resultant Set of Policy
>> Computer Policy
>>
>> GPO: Default Domain Policy
>> ================================================================================================================================
>>
>> CSE: gp_access_ext
>> ----------------------------------------------------------------
>> Policy Type: System Access
>> ----------------------------------------------------------------
>> [ MinimumPasswordAge ] = 0
>> [ MaximumPasswordAge ] = -1
>> [ MinimumPasswordLength ] = 6
>> ----------------------------------------------------------------
>> ----------------------------------------------------------------
> And forcing the policy to apply shows that it clearly (well, maybe not
> so clearly) did what you asked it to do:
>> samba-gpupdate -d5 --force --target=Computer
>>
>> DSDB Change [Modify] at [Wed, 06 Sep 2023 18:40:28.046297 CEST]
>> status [Success] remote host [Unknown] SID [S-1-5-18] DN
>> [DC=testdom,DC=talps] attributes [replace: minPwdAge [0]]
>> {"timestamp": "2023-09-06T18:40:28.046428+0200", "type":
>> "dsdbChange", "dsdbChange": {"version": {"major": 1, "minor": 0},
>> "statusCode": 0, "status": "Success", "operation": "Modify",
>> "remoteAddress": null, "performedAsSystem": false, "userSid":
>> "S-1-5-18", "dn": "DC=testdom,DC=talps", "transactionId":
>> "66a336b7-9d1d-4dc1-aa64-5c0363dc0d49", "sessionId":
>> "ef55011d-425b-4687-b6f9-f929bfc5eb29", "attributes": {"minPwdAge":
>> {"actions": [{"action": "replace", "values": [{"value": "0"}]}]}}}}
>>
>> DSDB Change [Modify] at [Wed, 06 Sep 2023 18:40:28.052847 CEST]
>> status [Success] remote host [Unknown] SID [S-1-5-18] DN
>> [DC=testdom,DC=talps] attributes [replace: maxPwdAge [864000000000]]
>> {"timestamp": "2023-09-06T18:40:28.052922+0200", "type":
>> "dsdbChange", "dsdbChange": {"version": {"major": 1, "minor": 0},
>> "statusCode": 0, "status": "Success", "operation": "Modify",
>> "remoteAddress": null, "performedAsSystem": false, "userSid":
>> "S-1-5-18", "dn": "DC=testdom,DC=talps", "transactionId":
>> "e51e13d3-0922-4142-a5a5-a115ed7e5183", "sessionId":
>> "ef55011d-425b-4687-b6f9-f929bfc5eb29", "attributes": {"maxPwdAge":
>> {"actions": [{"action": "replace", "values": [{"value":
>> "864000000000"}]}]}}}}
>>
>> DSDB Change [Modify] at [Wed, 06 Sep 2023 18:40:28.058667 CEST]
>> status [Success] remote host [Unknown] SID [S-1-5-18] DN
>> [DC=testdom,DC=talps] attributes [replace: minPwdLength [6]]
>> {"timestamp": "2023-09-06T18:40:28.058717+0200", "type":
>> "dsdbChange", "dsdbChange": {"version": {"major": 1, "minor": 0},
>> "statusCode": 0, "status": "Success", "operation": "Modify",
>> "remoteAddress": null, "performedAsSystem": false, "userSid":
>> "S-1-5-18", "dn": "DC=testdom,DC=talps", "transactionId":
>> "86efea8f-c624-455d-a7c8-2fd519389f73", "sessionId":
>> "ef55011d-425b-4687-b6f9-f929bfc5eb29", "attributes":
>> {"minPwdLength": {"actions": [{"action": "replace", "values":
>> [{"value": "6"}]}]}}}}
>>
> Note the `replace: minPwdAge [0]`, `replace: maxPwdAge [864000000000]`
> (-1), and `replace: minPwdLength [6]`.
>
> This is working as intended, as far as I can tell. So, what's the
> problem that I'm not understanding?
>
Hi David,
I'm also confused.
In your first post you wrote "You need to make sure you set the password
policy on the `Default Domain Controller Policy`."
Unfortunately I cannot supply screen dumps, as access is via X2Go to my
office Linux workstation, and then via RDP to the Windows 10 PC.
With GPME I set Default Domain Controllers Policy:
Enforce password history: 0
Maximum password age: 0
Minimum password age: 0
Minimum password length: 5
What shows up are the settings for Default Domain Policy, where was set
(from previous tests):
Enforce password history: Not Defined
Maximum password age: 0
Minimum password age: 0
Minimum password length: 6
However, neither of those have got any effect whatsoever. What gets
applied are the settings made with samba-tool domain passwordsettings on
the DC. In those, minimum password length = 4. I can without problems
set a password with the length 4 for any domain user, and I expected
something else (minimum length of 5 or 6), depending on which GPO gets
applied. Running a gpresult /scope Computer on the Windows 10 PC, shows
that the Default Domain Policy gets applied (with minimum password
length 6).
When setting password for a user through Domain Users and Computers, I'm
not allowed to set a password with less than 4 characters. 4 is OK, but
3 is not (consistent with what is set through samba-tool).
The conclusion is, something does not work as expected. Either there is
a bug in Samba 4.18.6, or I've got something wrong on my DC.
Tomorrow I will check what happens when I try to change password as a
user on the physical Windows PC.
Thanks for the suggestions so far.
Best regards,
Peter
More information about the samba
mailing list