[Samba] Password policy under Samba 4?

Michael Wood esiotrot at gmail.com
Wed Sep 2 01:13:13 MDT 2009 

2009/9/1 Michael Wood <esiotrot at gmail.com>:
> How does one set a password policy using Samba 4?
>
> I've set up Samba 4 as a domain controller with one Windows 2003
> server joined to the domain.  I've seen mention of the "check password
> script" option, but I think that's not available in Samba 4, right?
> I've also seen mention of Group Policies, but I am not sure if this is
> correct or not because I haven't been able to find anything in the
> Group Policy management tool on Windows that seems applicable.
>
> Basically I just want to know where to set the "user must change
> password after 30 days" and "password must be at least X characters
> long" settings and have these apply to users logging into the Windows
> machine.
>
> I'd appreciate it if someone could point me at the relevant documentation.

I've now found dompol.msc on a Windows 2003 Server AD domain
controller.  This seems to be what I'm looking for, but if I try
running dompol.msc on a Windows 2003 Server joined to the Samba 4
domain as a member server I get an error saying:

Failed to open the Group Policy Object.  You may not have appropriate rights.
Details: The specified domain either does not exist or could not be contacted.

This is while logged in to the Windows machine as
Administrator at example.org (where example.org is the domain I'm using
for testing.)  Also, dsa.msc works fine for adding users/groups etc.
I'm running samba with -d100 and nothing appears to be logged when I
start dompol.msc.  I can start dompol.msc, acknowledge the error and
close it down again without anything at all being added to the log.

"Group Policy Management" shows a "Default Domain Policy" and I can
create a new test policy object, but dompol.msc still gives the same
error with no evidence of having contacted Samba at all.  Even tcpdump
on the Samba box and wireshark on the Windows box show nothing
happening when I start, acknowledge and stop dompol.msc.

Any ideas?

Thanks.

-- 
Michael Wood <esiotrot at gmail.com>

More information about the samba mailing list