[Samba] 'check password script' and Join...
Andrew Bartlett
abartlet at samba.org
Tue Oct 24 17:55:47 UTC 2017
On Tue, 2017-10-24 at 18:07 +0200, Marco Gaiarin via samba wrote:
> Mandi! Rowland Penny via samba
> In chel di` si favelave...
>
> > The password settings are related to the DC and by default you cannot
> > set or change a password if it isn't complex enough
>
> Ok.
>
>
> > , you do not need to use an external script.
>
> Ahem, someone out there need it. ;-)
>
> This mean that, if i keep a 'check password script', i could also hit
> some trubles on, eg, workstation join or the renew of the machine
> password?
No.
/* Only non-trust accounts have restrictions (possibly this
test is the
* wrong way around, but we like to be restrictive if possible
*/
io->u.restrictions = !(io->u.userAccountControl
& (UF_INTERDOMAIN_TRUST_ACCOUNT |
UF_WORKSTATION_TRUST_ACCOUNT
| UF_SERVER_TRUST_ACCOUNT));
Later:
if (io->u.restrictions == 0) {
/* FIXME: Is this right? */
return LDB_SUCCESS;
}
The script won't be run for machine accounts.
> > Problem with using GPOs for password complexity, GPOs do not apply to
> > Samba DCs.
>
> Ok, i mean that: i can setup password policies on GPOs, but the DCs
> cannot ''enforce'' it.
The settings don't apply from the GPO into the AD DC yet. I am
reviewing patches to fix that however.
> So, trying to summarize:
>
> a) 'check password script' are called for every password change, also
> the ''system'' one (join, ...); this can be a potential source of
> trouble.
No, just for users. That could include 'service accounts' created by
other software, but not actual machine accounts.
> b) password policies defined with 'samba-tool domain passwordsettings
> set' are ''per DCs'', they not get ''replicated''.
No, they are replicated.
> c) if you need to enforce password policies in a domain, you have to
> set password policies for every DCs.
No, the settings are in the replicated sam.ldb.
> Right? Thanks.
>
>
> PS: and domain members? How they enforce passwords policies? Directly
> on AD DC, i suppose... but i'll ask. ;-)
They don't ask the DC for the choice of local user passwords as far as
I'm aware. There is an API to check if a password is OK (SAMR
ValidatePassword), but I've not seen it called for that, but I've also
not really been looking.
Thanks for asking for clarification, I hope this puts you at ease.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba
mailing list