Samba 4.0.0alpha7-GIT-37da26a problems with password policy
Andrew Bartlett
abartlet at samba.org
Mon Feb 2 02:54:03 GMT 2009
On Fri, 2009-01-30 at 23:44 +0300, Matthieu Patou wrote:
> > I have run accros a problem, but I am not sure whether this is a samba
> > 4 problem or my problem. While using dsa.msc (users and computers), if
> > i try to create a user in a ou the wizard fails with the message that
> > the password does not meet the complexity requirements. Fair enough, I
> > choose a complex password, it does work. The same happens with dsadd,
> > but with dsadd I get to create the account, although it is disabled.
> >
> > If I try editing the default domain policy (I know, I know, I should
> > create a new policy for this, but this is just a test environment) and
> > disable the complexity requirements for the password policy like you
> > can see here:
> > http://www.asenjo.nl/images/ad-password%20policy.png (it is in dutch,
> > but basically uitgeschakeld meens disabled en 5 tekens means 5
> > characters).
> >
> > I have updated the policy several times with gpupdate /force and
> > restarted the xp box several times.
> >
> > I also added this to smb.conf in the [globals] section:
> >
> > log file = /var/log/samba/log.%m
> > syslog = 0
> >
> > but I see no log file being created. The directory /var/log/samba
> > exists, of course.
> >
> > Another thing: if I try adsiedit.msc , it crashes when trying to open
> > the properties of an object. I can browse the database but when
> > opening the properties it crashes and wants to send a report to MS (I
> > guess they would not accept it coming from a samba 4 server ;-0).
> > Any ideas?
> >
> One thing you must be aware of is that some policies you define are for
> the server and not for the client.
> One which came to my mind is the MaximumPasswordAge (in
> "./Machine/Microsoft/Windows NT/SecEdit/GptTmpl.inf"), this parameter is
> clearly not used by the client but only by the server.
> I am quite incline to think that it's the same for the complexity of the
> password.
> Right now samba4 is missing a tool to parse windows policy to translate
> in samba options choice made in domain policy that concern the server
> (it's my humble option).
>
> Concerning the complexity I would recommand you to have a look at
> heimdal parameters (ie. check
> this:http://www.h5l.org/manual/heimdal-1-2-branch/info/heimdal.html#Password-changing)
> because samba4 kerberos implemtation is based on it, now it's up to you
> to find out where the krb5.conf should be put ....
The password complexity requirements are not in Heimdal, but in the base
DN of the LDAP directory (see minPwdLength). I still need someone to
write a small python script to parse this and the pwdProperties
attribute to set these.
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20090202/93668a88/attachment.bin
More information about the samba-technical
mailing list