[Samba] 'check password script' and Join...

Rowland Penny rpenny at samba.org
Tue Oct 24 16:50:09 UTC 2017

On Tue, 24 Oct 2017 18:07:23 +0200
Marco Gaiarin via samba <samba at lists.samba.org> wrote:

> Mandi! Rowland Penny via samba
>   In chel di` si favelave...
> > The password settings are related to the DC and by default you
> > cannot set or change a password if it isn't complex enough
> Ok.
> >, you do not need to use an external script.
> Ahem, someone out there need it. ;-)

Why ? if you use the default settings, then you cannot set a simple
password, or am I missing something here. Just what complexity do you
require ?

> This mean that, if i keep a 'check password script', i could also hit
> some trubles on, eg, workstation join or the renew of the machine
> password?

Possibly, I just rely on the default settings on the DC and don't have
a problem, but you may have problems with workstation passwords, I just
don't know.

> > Problem with using GPOs for password complexity, GPOs do not apply
> > to Samba DCs.
> Ok, i mean that: i can setup password policies on GPOs, but the DCs
> cannot ''enforce'' it.

Yes, but they are enforced on windows clients.

> So, trying to summarize:
> a) 'check password script' are called for every password change, also
>  the ''system'' one (join, ...); this can be a potential source of
> trouble.


> b) password policies defined with 'samba-tool domain passwordsettings
>  set' are ''per DCs'', they not get ''replicated''.

They are replicated.

> c) if you need to enforce password policies in a domain, you have to
>  set password policies for every DCs.

You should only have to set them on one DC.

> Right? Thanks.
> PS: and domain members? How they enforce passwords policies? Directly
>   on AD DC, i suppose... but i'll ask. ;-)

Seeing as the passwords are stored on the DC and you change them
there, I will leave you to decide that ;-)


More information about the samba mailing list