[Samba] 'check password script' and Join...
Rowland Penny
rpenny at samba.org
Tue Oct 24 16:50:09 UTC 2017
On Tue, 24 Oct 2017 18:07:23 +0200
Marco Gaiarin via samba <samba at lists.samba.org> wrote:
> Mandi! Rowland Penny via samba
> In chel di` si favelave...
>
> > The password settings are related to the DC and by default you
> > cannot set or change a password if it isn't complex enough
>
> Ok.
>
>
> >, you do not need to use an external script.
>
> Ahem, someone out there need it. ;-)
Why ? if you use the default settings, then you cannot set a simple
password, or am I missing something here. Just what complexity do you
require ?
>
> This mean that, if i keep a 'check password script', i could also hit
> some trubles on, eg, workstation join or the renew of the machine
> password?
Possibly, I just rely on the default settings on the DC and don't have
a problem, but you may have problems with workstation passwords, I just
don't know.
>
>
> > Problem with using GPOs for password complexity, GPOs do not apply
> > to Samba DCs.
>
> Ok, i mean that: i can setup password policies on GPOs, but the DCs
> cannot ''enforce'' it.
Yes, but they are enforced on windows clients.
>
>
> So, trying to summarize:
>
> a) 'check password script' are called for every password change, also
> the ''system'' one (join, ...); this can be a potential source of
> trouble.
Possibly
>
> b) password policies defined with 'samba-tool domain passwordsettings
> set' are ''per DCs'', they not get ''replicated''.
They are replicated.
>
> c) if you need to enforce password policies in a domain, you have to
> set password policies for every DCs.
You should only have to set them on one DC.
>
>
> Right? Thanks.
>
>
> PS: and domain members? How they enforce passwords policies? Directly
> on AD DC, i suppose... but i'll ask. ;-)
Seeing as the passwords are stored on the DC and you change them
there, I will leave you to decide that ;-)
Rowland
More information about the samba
mailing list