[Samba] Time synchronization and Password Policies
Marco Gaiarin
gaio at sv.lnf.it
Tue Nov 21 15:35:06 UTC 2017
Mandi! L.P.H. van Belle via samba
In chel di` si favelave...
> Yes, but only the GPO policies and these are not applied to the samba server.
No. I've looked back at list archive, and i've not found the email, but
i'm sure that someone here (Andrew?) reply me that password policies
are replicated between DC.
Also, seems strange to me that that settings get written into LDAP AD
data and not used by ever DC:
root at vdcpp1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b "dc=ad,dc=fvg,dc=lnf,dc=it" -s base | grep -i pwd
maxPwdAge: -77760000000000
minPwdAge: 0
minPwdLength: 8
pwdProperties: 1
pwdHistoryLength: 5
also, i've not set that value on my second DC, but:
root at vdcpp1:~# samba-tool domain passwordsettings show
Password informations for domain 'DC=ad,DC=fvg,DC=lnf,DC=it'
Password complexity: on
Store plaintext passwords: off
Password history length: 5
Minimum password length: 8
Minimum password age (days): 0
Maximum password age (days): 90
Account lockout duration (mins): 30
Account lockout threshold (attempts): 5
Reset account lockout after (mins): 5
and these are exactly the settings on my first DC, correctly propagated
on the second.
So, trying to summarize:
a) 'samba-tool domain passwordsettings' set the password policy for the
''samba'' part, for every DC in the domain
b) this password policies are not enforced on the windows client, and
have to be ''replicated'' in a GPO.
Right?
--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/
Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN)
marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797
Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
More information about the samba
mailing list