[Samba] Time synchronization and Password Policies

[lingpanda101]

On 11/21/2017 4:59 PM, Andrew Bartlett wrote:
> On Tue, 2017-11-21 at 09:02 -0500, lingpanda101 via samba wrote:
>> On 11/21/2017 4:34 AM, lists via samba wrote:
>>> Hi,
>>>
>>> On 21-11-2017 4:40, Anantha Raghava via samba wrote:
>>>> /*Password Policies*/
>>>>
>>>> Password policies are not getting enforced on the clients. Initially
>>>> we thought that we have to set those policies using "samba-tool user
>>>> passwordsettings" and not on Windows GPO. As this was not enforcing
>>>> the password policies, we set the GPO with the same settings. Yet the
>>>> same result. Password Policies are not getting applied.
>>>>
>>>> We have three domain controllers in out environment.
>>> No expert, and please someone correct me if I'm wrong, but:
>>>
>>> I think the samba-tool user passwordsettings are local-DC-specific, so
>>> you need to run it on all your DCs.
>>> Could it be that you configured only one DC, and your password change
>>> happens to be talking with a different DC..?
>>>
>>> MJ
>>>
>> You are correct from my own environment.
>>
>>       Is this how a Microsoft domain behaves as well or a limit of Samba
>> not being able to replicate these attributes? If anyone knows btw. Thanks.
> MJ's statement is not correct.  The password policy attributes are
> replicated, the configuration only needs to be done on a single DC.
>
> Additionally, for Samba 4.8 it will (currently off by default) be
> possible for a DC to read the password policy and other security
> settings from the GPO files.
>
> Thanks,
>
> Andrew Bartlett
>
Andrew,

     Just tested a change on 4.7 and sure enough the replication was 
instantaneous. I haven't made changes to my password settings in some 
time, so not sure when things improved, but this wasn't always the case. 
I wonder in my case if it was merely a delay in replication and at some 
point it would have been reflected on the other DC's.

-- 
--
James