[Samba] Domain Functionality Level and GPO password policies
ryana at reachtechfp.com
Thu Oct 2 07:31:04 MDT 2014
What was said is true for Samba. Had I thought for a second I would have
realized that Samba does not understand group policies, so the password
settings must be handled by Samba itself. Due to this, you only have one
policy that may be set. Maybe the Samba team can introduce a working
solution for multiple policies later, but that is something I do not
On 10/02/2014 03:26 AM, Neil wrote:
> Hi Marc and Ryan,
> Thanks very much for the responses.
> So there's basically no way to allow one group one set of password
> expiry options and another group another set of options?
> Do you know if this is going to be allowed/added in at a later stage ?
> Neil Wilson.
> On Wed, Oct 1, 2014 at 11:33 PM, Marc Muehlfeld <mmuehlfeld at samba.org> wrote:
>> Hello Neil,
>> Am 01.10.2014 um 14:33 schrieb Neil:
>>> I've been trying to work out how to set a GPO that allows certain
>>> Groups (Domain Users) a password expiry of 60 days and another group
>>> (Domain admins) an expiry of 30 days, but when looking through the
>>> Group Policy Manager I don't see how to achieve this.
>> You can't do this at the moment, because it has to be validated on the
>> domain controller(s) and Samba DCs don't know what to do with GPO.
>>> ...and I presume that if I increase this on my PDC I'll need to
>>> increase it on my other Samba4 domain controller that is replicating
>>> settings as well?
>> You raise the levels on one DC of your choice. The setting is stored
>> inside the AD. So the replication brings it automatically to each DC in
>> your domain/forest.
>>> Can I do this live while the servers are in use and should I expect
>>> any issues?
>> Yes, you can. The levels are just values in the AD. See:
>> For Samba they don't have a high weight at the moment. But if you're
>> having Windows servers in your forest, the levels allow new features (AD
>> recycle bin, etc.), but also exclude older Windows server versions from
>> being a DC in your domain/forest. So take my warning seriously: :-)
More information about the samba