[Samba] SaMBa 4 - password complexity

Matthieu Patou mat at samba.org
Thu Apr 4 13:10:56 MDT 2013

On 04/04/2013 09:37 AM, Celso Viana wrote:
> 2013/4/4 Matthieu Patou <mat at samba.org>
>> On 04/03/2013 06:37 PM, Andrew Bartlett wrote:
>>> On Wed, 2013-04-03 at 13:51 -0300, Celso Viana wrote:
>>>> Hi all,
>>>> I have installed the Samba 4, i execute the "domain provision" command,
>>>> and
>>>> also have disabled the password complexity and decreases the minimum
>>>> password length to 3, then I joined a Windows Server 2008 as a DC for the
>>>> domain samba. After a few minutes the password complexity and minimum
>>>> values are reset to default. Anyone know why?
>>> Very interesting!
>>> My guess is that the Windows DC examined the group policy objects for
>>> the domain (perhaps some it provided itself) and found that the password
>>> policy was set.
>>> Samba doesn't know about group policy as a DC, so can't use that as the
>>> authoritative source, but it reads the setting in the directory that
>>> Windows would update.
>> Very likely,
>> By default you have 2 GPO created, one that concerns everybody and one
>> that concerns DCs. I advise you to edit the second one from Windows 2008
>> and set the complexity as you expect it to be then it should be replicated
>> on the Samba DC as well soon.
>> Matthieu.
>> --
>> Matthieu Patou
>> Samba Team
>> http://samba.org
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/**mailman/options/samba<https://lists.samba.org/mailman/options/samba>
> What seems weird to me is that the "Windows 2008" joined the domain and
> "imposed" its policies to my domain. If I understood right, when the
> Windows DC joins my domain, he is the authoritative source for the DC group
> policies. is that right?
Well when you have 2 DC both are authoritative, so if one DC realize 
that some attributes in the samdb are not aligned to the value defined 
(or implied) by the group policy it fixes them, it looks pretty logical 
to me. What is not correct is that if we can fix the password complexity 
during provision we should also alter the DC only group policy to have 
the same setting here.


Matthieu Patou
Samba Team

More information about the samba-technical mailing list