[Samba] Removing password complexity requirements under Samba4
gregs at sloop.net
Fri Aug 9 15:04:06 MDT 2013
MF> We had problems removing password complexity, and I noticed a lot of
MF> confusion on the list about exactly this topic. So I thought I would post
MF> our success.
MF> We're talking about a Samba4 PDC/AD here. Once we got Samba installed and
MF> provisioned, we used samba-tool from the command-line on the Samba box to
MF> change the domain password settings:
MF> sudo samba-tool domain passwordsettings set --complexity=off
MF> sudo samba-tool domain passwordsettings set --history-length=0
MF> sudo samba-tool domain passwordsettings set --min-pwd-age=0
MF> sudo samba-tool domain passwordsettings set --max-pwd-age=0
MF> Restarted Samba, did a gpupdate /force on the workstation, and it worked.
MF> No need to set up a GPO (although that would sometimes be preferable).
MF> We tried the samba-tool method initially, as well as a GPO, and were
MF> baffled when neither worked. I think we had our minumum password age at the
MF> default value (1 day) and were trying to reset the password the same day we
MF> created the accounts.
MF> In any case, we're able to change passwords with reckless abandon in our
MF> test environment at the moment.
One note, for the record. When you're doing the initial provision, and
are supplying the root/admin password for the domain, there is NOT a
way to reduce the complexity requirements for that operation. [Not
that you'd *want* your master domain admin password to be something
ridiculously lousy like "abc" or anything.]
But someone has asked about getting 'round it before.
If it really bothers someone, you can always meet the complexity
requirement during provision, then use the samba-tool as above, and
change it to "xyz" if that's what turns your crank. :)
More information about the samba