Samba 4.0.0alpha7-GIT-37da26a problems with password policy
Matthieu Patou
mat+Informatique.Samba at matws.net
Fri Jan 30 20:44:31 GMT 2009
> I have run accros a problem, but I am not sure whether this is a samba
> 4 problem or my problem. While using dsa.msc (users and computers), if
> i try to create a user in a ou the wizard fails with the message that
> the password does not meet the complexity requirements. Fair enough, I
> choose a complex password, it does work. The same happens with dsadd,
> but with dsadd I get to create the account, although it is disabled.
>
> If I try editing the default domain policy (I know, I know, I should
> create a new policy for this, but this is just a test environment) and
> disable the complexity requirements for the password policy like you
> can see here:
> http://www.asenjo.nl/images/ad-password%20policy.png (it is in dutch,
> but basically uitgeschakeld meens disabled en 5 tekens means 5
> characters).
>
> I have updated the policy several times with gpupdate /force and
> restarted the xp box several times.
>
> I also added this to smb.conf in the [globals] section:
>
> log file = /var/log/samba/log.%m
> syslog = 0
>
> but I see no log file being created. The directory /var/log/samba
> exists, of course.
>
> Another thing: if I try adsiedit.msc , it crashes when trying to open
> the properties of an object. I can browse the database but when
> opening the properties it crashes and wants to send a report to MS (I
> guess they would not accept it coming from a samba 4 server ;-0).
> Any ideas?
>
One thing you must be aware of is that some policies you define are for
the server and not for the client.
One which came to my mind is the MaximumPasswordAge (in
"./Machine/Microsoft/Windows NT/SecEdit/GptTmpl.inf"), this parameter is
clearly not used by the client but only by the server.
I am quite incline to think that it's the same for the complexity of the
password.
Right now samba4 is missing a tool to parse windows policy to translate
in samba options choice made in domain policy that concern the server
(it's my humble option).
Concerning the complexity I would recommand you to have a look at
heimdal parameters (ie. check
this:http://www.h5l.org/manual/heimdal-1-2-branch/info/heimdal.html#Password-changing)
because samba4 kerberos implemtation is based on it, now it's up to you
to find out where the krb5.conf should be put ....
HTH.
Matthieu.
More information about the samba-technical
mailing list