[Samba] Domain password policy with Samba AD DC

Peter Milesson miles at atmos.eu
Thu Sep 7 18:56:29 UTC 2023 


On 07.09.2023 16:43, David Mulder via samba wrote:
>
> On 9/7/23 3:22 AM, Peter Milesson via samba wrote:
>>
>> Now, things seem to clear a bit.
>>
>> Yesterday, I could still set passwords with length = 4 characters. 
>> When letting everything "mature" overnight, the Default Domain Policy 
>> seems to apply. Now, a minimum of 6 characters are required, and when 
>> I run samba-tool domain passwordsettings, the parameter Minimum 
>> password length = 6.
>>
>> Everything seems to be working, except for the fact, that gpupdate 
>> /force in Windows does not immediately update the GPOs. If I run 
>> samba-gpupdate --force, the altered GPO takes effect immediately, 
>> however.
>>
>> So to summarize using GPME to update the GPO controlling password 
>> policies:
>>
>>  *
>>
>>    Add apply group policies = yes in smb.conf (restart samba-ad-dc 
>> service)
>>
>>  *
>>
>>    Log in as TESTDOM\\Administrator to a domain Windows PC with RSAT
>>    tools installed
>>
>>  *
>>
>>    Edit the GPO Default Domain Policy/Computer
>>    Configuration/Policies/Windows Settings/Security Settings/Account
>>    Policies/Password Policy with GPME and close the GPME and GPMC
>>
>>  *
>>
>>    (Don't bother running gpupdate /force in Windows, it's got no effect
>>    anyway)
>>
>>  *
>>
>>    If you want the changed GPO to take effekt immediately, run
>>    samba-gpupdate --force on the DC, otherwise wait anything from 90 -
>>    120 minutes.
>>
> Peter, would you be willing the update the wiki with instructions that 
> helped you? You mentioned previously you were following some 
> instructions that didn't mention how to set this up.
>
Hi David,

Of course I could update the wiki. I just don't know how, and what tools 
to use. And I assume that some kind of login would be required.

I'm busy tomorrow, and I want to check up a couple of things around GPOs 
and how they apply, before I'm prepared to update the wiki. My test DC 
uses Debian Bookworm with bookworm-backports (Samba 4.18.6 ATM), and I 
want to be very sure about behavior with some other distribution also. 
I'm using Arch Linux for desktop purposes, and that's always bleeding 
edge (Samba package for 4.19.0 is already current). And last, but not 
least, the behavior under Windows (10 22H2, and 11 22H2).

But one change/addition is absolutely clear. Mentioning GPOs on the wiki 
page "Setting up Samba as an Active Directory Domain Controller", with a 
link to the wiki page "Group Policy". Every sysadmin taking their domain 
seriously wants to use GPOs, if there are Windows clients in the mix.

Best regards,

Peter

More information about the samba mailing list