[Samba] Domain password policy with Samba AD DC

Peter Milesson miles at atmos.eu
Wed Sep 6 18:30:46 UTC 2023 


On 06.09.2023 18:59, David Mulder via samba wrote:
> So, now I'm confused. This output shows it working exactly as intended.
>
> The rsop shows that you set the following policy on the sysvol:
>
>> samba-gpupdate --rsop --target=Computer
>>
>> Resultant Set of Policy
>> Computer Policy
>>
>> GPO: Default Domain Policy
>> ================================================================================================================================ 
>>
>>   CSE: gp_access_ext
>> ----------------------------------------------------------------
>>     Policy Type: System Access
>> ----------------------------------------------------------------
>>     [ MinimumPasswordAge ] =         0
>>     [ MaximumPasswordAge ] =         -1
>>     [ MinimumPasswordLength ] =         6
>> ----------------------------------------------------------------
>> ----------------------------------------------------------------
> And forcing the policy to apply shows that it clearly (well, maybe not 
> so clearly) did what you asked it to do:
>> samba-gpupdate -d5 --force --target=Computer
>>
>> DSDB Change [Modify] at [Wed, 06 Sep 2023 18:40:28.046297 CEST] 
>> status [Success] remote host [Unknown] SID [S-1-5-18] DN 
>> [DC=testdom,DC=talps] attributes [replace: minPwdAge [0]]
>> {"timestamp": "2023-09-06T18:40:28.046428+0200", "type": 
>> "dsdbChange", "dsdbChange": {"version": {"major": 1, "minor": 0}, 
>> "statusCode": 0, "status": "Success", "operation": "Modify", 
>> "remoteAddress": null, "performedAsSystem": false, "userSid": 
>> "S-1-5-18", "dn": "DC=testdom,DC=talps", "transactionId": 
>> "66a336b7-9d1d-4dc1-aa64-5c0363dc0d49", "sessionId": 
>> "ef55011d-425b-4687-b6f9-f929bfc5eb29", "attributes": {"minPwdAge": 
>> {"actions": [{"action": "replace", "values": [{"value": "0"}]}]}}}}
>>
>> DSDB Change [Modify] at [Wed, 06 Sep 2023 18:40:28.052847 CEST] 
>> status [Success] remote host [Unknown] SID [S-1-5-18] DN 
>> [DC=testdom,DC=talps] attributes [replace: maxPwdAge [864000000000]]
>> {"timestamp": "2023-09-06T18:40:28.052922+0200", "type": 
>> "dsdbChange", "dsdbChange": {"version": {"major": 1, "minor": 0}, 
>> "statusCode": 0, "status": "Success", "operation": "Modify", 
>> "remoteAddress": null, "performedAsSystem": false, "userSid": 
>> "S-1-5-18", "dn": "DC=testdom,DC=talps", "transactionId": 
>> "e51e13d3-0922-4142-a5a5-a115ed7e5183", "sessionId": 
>> "ef55011d-425b-4687-b6f9-f929bfc5eb29", "attributes": {"maxPwdAge": 
>> {"actions": [{"action": "replace", "values": [{"value": 
>> "864000000000"}]}]}}}}
>>
>> DSDB Change [Modify] at [Wed, 06 Sep 2023 18:40:28.058667 CEST] 
>> status [Success] remote host [Unknown] SID [S-1-5-18] DN 
>> [DC=testdom,DC=talps] attributes [replace: minPwdLength [6]]
>> {"timestamp": "2023-09-06T18:40:28.058717+0200", "type": 
>> "dsdbChange", "dsdbChange": {"version": {"major": 1, "minor": 0}, 
>> "statusCode": 0, "status": "Success", "operation": "Modify", 
>> "remoteAddress": null, "performedAsSystem": false, "userSid": 
>> "S-1-5-18", "dn": "DC=testdom,DC=talps", "transactionId": 
>> "86efea8f-c624-455d-a7c8-2fd519389f73", "sessionId": 
>> "ef55011d-425b-4687-b6f9-f929bfc5eb29", "attributes": 
>> {"minPwdLength": {"actions": [{"action": "replace", "values": 
>> [{"value": "6"}]}]}}}}
>>
> Note the `replace: minPwdAge [0]`, `replace: maxPwdAge [864000000000]` 
> (-1), and `replace: minPwdLength [6]`.
>
> This is working as intended, as far as I can tell. So, what's the 
> problem that I'm not understanding?
>
Hi David,

I'm also confused.

In your first post you wrote "You need to make sure you set the password 
policy on the `Default Domain Controller Policy`."

Unfortunately I cannot supply screen dumps, as access is via X2Go to my 
office Linux workstation, and then via RDP to the Windows 10 PC.

With GPME I set Default Domain Controllers Policy:

Enforce password history: 0
Maximum password age: 0
Minimum password age: 0
Minimum password length: 5


What shows up are the settings for Default Domain Policy, where was set 
(from previous tests):

Enforce password history: Not Defined
Maximum password age: 0
Minimum password age: 0
Minimum password length: 6

However, neither of those have got any effect whatsoever. What gets 
applied are the settings made with samba-tool domain passwordsettings on 
the DC. In those, minimum password length = 4. I can without problems 
set a password with the length 4 for any domain user, and I expected 
something else (minimum length of 5 or 6), depending on which GPO gets 
applied. Running a gpresult /scope Computer on the Windows 10 PC, shows 
that the Default Domain Policy gets applied (with minimum password 
length 6).

When setting password for a user through Domain Users and Computers, I'm 
not allowed to set a password with less than 4 characters. 4 is OK, but 
3 is not (consistent with what is set through samba-tool).

The conclusion is, something does not work as expected. Either there is 
a bug in Samba 4.18.6, or I've got something wrong on my DC.

Tomorrow I will check what happens when I try to change password as a 
user on the physical Windows PC.

Thanks for the suggestions so far.

Best regards,

Peter

More information about the samba mailing list