Samba 4.0.0alpha7-GIT-37da26a problems with password policy

Andrew Bartlett abartlet at
Mon Feb 2 02:54:03 GMT 2009

On Fri, 2009-01-30 at 23:44 +0300, Matthieu Patou wrote:
> > I have run accros a problem, but I am not sure whether this is a samba
> > 4 problem or my problem. While using dsa.msc (users and computers), if
> > i try to create a user in a ou the wizard fails with the message that
> > the password does not meet the complexity requirements. Fair enough, I
> > choose a complex password, it does work. The same happens with dsadd,
> > but with dsadd I get to create the account, although it is disabled.
> >
> > If I try editing the default domain policy (I know, I know, I should
> > create a new policy for this, but this is just a test environment) and
> > disable the complexity requirements for the password policy like you
> > can see here:
> > (it is in dutch,
> > but basically uitgeschakeld meens disabled en 5 tekens means 5
> > characters).
> >
> > I have updated the policy several times with gpupdate /force and
> > restarted the xp box several times.
> >
> > I also added this to smb.conf  in the [globals] section:
> >
> > log file        = /var/log/samba/log.%m
> >          syslog          = 0
> >
> > but I see no log file being created. The directory /var/log/samba
> > exists, of course.
> >
> > Another thing: if I try adsiedit.msc , it crashes when trying to open
> > the properties of an object. I can browse the database but when
> > opening the properties it crashes and wants to send a report to MS (I
> > guess they would not accept it coming from a samba 4 server ;-0).
> > Any ideas?
> >    
> One thing you must be aware of is that some policies you define are for 
> the server and not for the client.
> One which came to my mind is the MaximumPasswordAge (in 
> "./Machine/Microsoft/Windows NT/SecEdit/GptTmpl.inf"), this parameter is 
> clearly not used by the client but only by the server.
> I am quite incline to think that it's the same for the complexity of the 
> password.
> Right now samba4 is missing a tool to parse windows policy to translate 
> in samba options choice made in domain policy that concern the server 
> (it's my humble option).
> Concerning the complexity I would recommand you to have a look at 
> heimdal parameters (ie. check 
> this: 
> because samba4 kerberos implemtation is based on it, now it's up to you 
> to find out where the krb5.conf should be put ....

The password complexity requirements are not in Heimdal, but in the base
DN of the LDAP directory (see minPwdLength).  I still need someone to
write a small python script to parse this and the pwdProperties
attribute to set these.

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team 
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list