[Samba] Domain password policy with Samba AD DC

Peter Milesson miles at atmos.eu
Thu Sep 7 09:22:59 UTC 2023 

On 9/6/23 20:30, Peter Milesson via samba wrote:
>
>
> On 06.09.2023 18:59, David Mulder via samba wrote:
>> So, now I'm confused. This output shows it working exactly as intended.
>>
>> The rsop shows that you set the following policy on the sysvol:
>>
>>> samba-gpupdate --rsop --target=Computer
>>>
>>> Resultant Set of Policy
>>> Computer Policy
>>>
>>> GPO: Default Domain Policy
>>> ================================================================================================================================ 
>>>
>>>   CSE: gp_access_ext
>>> ----------------------------------------------------------------
>>>     Policy Type: System Access
>>> ----------------------------------------------------------------
>>>     [ MinimumPasswordAge ] =         0
>>>     [ MaximumPasswordAge ] =         -1
>>>     [ MinimumPasswordLength ] =         6
>>> ----------------------------------------------------------------
>>> ----------------------------------------------------------------
>> And forcing the policy to apply shows that it clearly (well, maybe 
>> not so clearly) did what you asked it to do:
>>> samba-gpupdate -d5 --force --target=Computer
>>>
>>> DSDB Change [Modify] at [Wed, 06 Sep 2023 18:40:28.046297 CEST] 
>>> status [Success] remote host [Unknown] SID [S-1-5-18] DN 
>>> [DC=testdom,DC=talps] attributes [replace: minPwdAge [0]]
>>> {"timestamp": "2023-09-06T18:40:28.046428+0200", "type": 
>>> "dsdbChange", "dsdbChange": {"version": {"major": 1, "minor": 0}, 
>>> "statusCode": 0, "status": "Success", "operation": "Modify", 
>>> "remoteAddress": null, "performedAsSystem": false, "userSid": 
>>> "S-1-5-18", "dn": "DC=testdom,DC=talps", "transactionId": 
>>> "66a336b7-9d1d-4dc1-aa64-5c0363dc0d49", "sessionId": 
>>> "ef55011d-425b-4687-b6f9-f929bfc5eb29", "attributes": {"minPwdAge": 
>>> {"actions": [{"action": "replace", "values": [{"value": "0"}]}]}}}}
>>>
>>> DSDB Change [Modify] at [Wed, 06 Sep 2023 18:40:28.052847 CEST] 
>>> status [Success] remote host [Unknown] SID [S-1-5-18] DN 
>>> [DC=testdom,DC=talps] attributes [replace: maxPwdAge [864000000000]]
>>> {"timestamp": "2023-09-06T18:40:28.052922+0200", "type": 
>>> "dsdbChange", "dsdbChange": {"version": {"major": 1, "minor": 0}, 
>>> "statusCode": 0, "status": "Success", "operation": "Modify", 
>>> "remoteAddress": null, "performedAsSystem": false, "userSid": 
>>> "S-1-5-18", "dn": "DC=testdom,DC=talps", "transactionId": 
>>> "e51e13d3-0922-4142-a5a5-a115ed7e5183", "sessionId": 
>>> "ef55011d-425b-4687-b6f9-f929bfc5eb29", "attributes": {"maxPwdAge": 
>>> {"actions": [{"action": "replace", "values": [{"value": 
>>> "864000000000"}]}]}}}}
>>>
>>> DSDB Change [Modify] at [Wed, 06 Sep 2023 18:40:28.058667 CEST] 
>>> status [Success] remote host [Unknown] SID [S-1-5-18] DN 
>>> [DC=testdom,DC=talps] attributes [replace: minPwdLength [6]]
>>> {"timestamp": "2023-09-06T18:40:28.058717+0200", "type": 
>>> "dsdbChange", "dsdbChange": {"version": {"major": 1, "minor": 0}, 
>>> "statusCode": 0, "status": "Success", "operation": "Modify", 
>>> "remoteAddress": null, "performedAsSystem": false, "userSid": 
>>> "S-1-5-18", "dn": "DC=testdom,DC=talps", "transactionId": 
>>> "86efea8f-c624-455d-a7c8-2fd519389f73", "sessionId": 
>>> "ef55011d-425b-4687-b6f9-f929bfc5eb29", "attributes": 
>>> {"minPwdLength": {"actions": [{"action": "replace", "values": 
>>> [{"value": "6"}]}]}}}}
>>>
>> Note the `replace: minPwdAge [0]`, `replace: maxPwdAge 
>> [864000000000]` (-1), and `replace: minPwdLength [6]`.
>>
>> This is working as intended, as far as I can tell. So, what's the 
>> problem that I'm not understanding?
>>
> Hi David,
>
> I'm also confused.
>
> In your first post you wrote "You need to make sure you set the 
> password policy on the `Default Domain Controller Policy`."
>
> Unfortunately I cannot supply screen dumps, as access is via X2Go to 
> my office Linux workstation, and then via RDP to the Windows 10 PC.
>
> With GPME I set Default Domain Controllers Policy:
>
> Enforce password history: 0
> Maximum password age: 0
> Minimum password age: 0
> Minimum password length: 5
>
>
> What shows up are the settings for Default Domain Policy, where was 
> set (from previous tests):
>
> Enforce password history: Not Defined
> Maximum password age: 0
> Minimum password age: 0
> Minimum password length: 6
>
> However, neither of those have got any effect whatsoever. What gets 
> applied are the settings made with samba-tool domain passwordsettings 
> on the DC. In those, minimum password length = 4. I can without 
> problems set a password with the length 4 for any domain user, and I 
> expected something else (minimum length of 5 or 6), depending on which 
> GPO gets applied. Running a gpresult /scope Computer on the Windows 10 
> PC, shows that the Default Domain Policy gets applied (with minimum 
> password length 6).
>
> When setting password for a user through Domain Users and Computers, 
> I'm not allowed to set a password with less than 4 characters. 4 is 
> OK, but 3 is not (consistent with what is set through samba-tool).
>
> The conclusion is, something does not work as expected. Either there 
> is a bug in Samba 4.18.6, or I've got something wrong on my DC.
>
> Tomorrow I will check what happens when I try to change password as a 
> user on the physical Windows PC.
>
> Thanks for the suggestions so far.
>
> Best regards,
>
> Peter
>
>
Hi David,

Now, things seem to clear a bit.

Yesterday, I could still set passwords with length = 4 characters. When 
letting everything "mature" overnight, the Default Domain Policy seems 
to apply. Now, a minimum of 6 characters are required, and when I run 
samba-tool domain passwordsettings, the parameter Minimum password 
length = 6.

Everything seems to be working, except for the fact, that gpupdate 
/force in Windows does not immediately update the GPOs. If I run 
samba-gpupdate --force, the altered GPO takes effect immediately, however.

So to summarize using GPME to update the GPO controlling password policies:

  *

    Add apply group policies = yes in smb.conf (restart samba-ad-dc service)

  *

    Log in as TESTDOM\\Administrator to a domain Windows PC with RSAT
    tools installed

  *

    Edit the GPO Default Domain Policy/Computer
    Configuration/Policies/Windows Settings/Security Settings/Account
    Policies/Password Policy with GPME and close the GPME and GPMC

  *

    (Don't bother running gpupdate /force in Windows, it's got no effect
    anyway)

  *

    If you want the changed GPO to take effekt immediately, run
    samba-gpupdate --force on the DC, otherwise wait anything from 90 -
    120 minutes.

Thanks for you help David!

Best regards,

Peter

More information about the samba mailing list