[Samba] Confusion about account locking policy (Samba AD/Windows 7 client)

Ole Traupe ole.traupe at tu-berlin.de
Tue Dec 8 16:29:17 UTC 2015


As far as I understand Samba and the wiki in this regard, the Samba4 
DC's password policy is no typical domain policy (no GPO). It can't be 
inherited by Windows clients. So I suspect the full story to be:

- on the Unix side (DC and member server) the Samba password rules apply
- on the Windows client side the inherited Windows POLICIES apply (as 
far as possible)

In effect, if e.g. password lockout threshold is configured differently 
on Samba DC and Windows clients, the lower threshold of the two will 
determine the behavior of the domain (on Windows clients).

Does that sound reasonable?

Ole


Am 08.12.2015 um 17:06 schrieb mathias dufresne:
> I expect you already did that but in case of... did you rebooted your
> Windows client to apply new Computer's GPO (or use gpupdate MS tool)?
>
> 2015-12-08 16:54 GMT+01:00 Ole Traupe <ole.traupe at tu-berlin.de>:
>
>> Hi,
>>
>> here on the wiki
>>
>> https://wiki.samba.org/index.php/FAQ#Is_it_possible_to_set_user_specific_password_policies_in_Samba4_.28e._g._on_a_OU-base.29.3F
>> I read this:
>>
>>
>>     "Is it possible to set user specific password policies in Samba4 (e.
>>     g. on a OU-base)?
>>
>> Samba can't handle GPO restrictions. You have to use 'samba-tool domain
>> passwordsettings' to change password policies. But this only applies on
>> domain level."
>>
>> So, I have set my account lockout policy on the Samba4 DC to '5' incorrect
>> attempts. However, on a Windows 7 client it needs only 3 invalid attempts
>> to get the account locked out (tested on 3 different machines). And on
>> domain join it seems only to need 1 invalid attempt.
>>
>> What is the full story here?
>>
>> Ole
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>




More information about the samba mailing list