[Samba] Join DC has failed with error: NT_STATUS_PASSWORD_RESTRICTION

Rowland penny rpenny at samba.org
Mon Sep 23 07:59:54 UTC 2019

On 23/09/2019 08:25, Marco Gaiarin via samba wrote:
> Mandi! tomek82 via samba
>    In chel di` si favelave...
>> ERROR(runtime): uncaught exception - (-1073741716, 'SetUserInfo2 level 26 for [dns-DC] failed: NT_STATUS_PASSWORD_RESTRICTION')
> You have a 'check password script' enabled in smb.conf?
> Try to do (on a DC):
> 	samba-tool domain passwordsettings set --complexity=off
> and try again the join, then clearly re-enable it:
> 	samba-tool domain passwordsettings set --complexity=on
Sorry Marco, but this has nothing to do with the OP's smb.conf, good 
thought though ;-)

It looks like Windows does things in a different way to Samba, 
everything I can find tells me the maximum user password length is 127 
characters if created in a GUI, but up to 256 characters if done 
programmatically  (i.e. in a script)

Andrew referred to the MS-SAMR spec, it might have helped if he had said 
just what part. When Samba creates the 'dns-*' user for a DC using 
bind9, it uses a random password between 128 and 256 characters in 
length, so should be suitable. The only thing I can think of is, somehow 
the maximum password length or complexity is set differently on the 
Windows DC that the OP is attempting to join the Samba DC to.

This is only a problem for the OP because he attempted to join with 
Bind9, the affected code is not run if you use the internal dns server.


More information about the samba mailing list