[Samba] Join DC has failed with error: NT_STATUS_PASSWORD_RESTRICTION
rpenny at samba.org
Mon Sep 23 07:59:54 UTC 2019
On 23/09/2019 08:25, Marco Gaiarin via samba wrote:
> Mandi! tomek82 via samba
> In chel di` si favelave...
>> ERROR(runtime): uncaught exception - (-1073741716, 'SetUserInfo2 level 26 for [dns-DC] failed: NT_STATUS_PASSWORD_RESTRICTION')
> You have a 'check password script' enabled in smb.conf?
> Try to do (on a DC):
> samba-tool domain passwordsettings set --complexity=off
> and try again the join, then clearly re-enable it:
> samba-tool domain passwordsettings set --complexity=on
Sorry Marco, but this has nothing to do with the OP's smb.conf, good
thought though ;-)
It looks like Windows does things in a different way to Samba,
everything I can find tells me the maximum user password length is 127
characters if created in a GUI, but up to 256 characters if done
programmatically (i.e. in a script)
Andrew referred to the MS-SAMR spec, it might have helped if he had said
just what part. When Samba creates the 'dns-*' user for a DC using
bind9, it uses a random password between 128 and 256 characters in
length, so should be suitable. The only thing I can think of is, somehow
the maximum password length or complexity is set differently on the
Windows DC that the OP is attempting to join the Samba DC to.
This is only a problem for the OP because he attempted to join with
Bind9, the affected code is not run if you use the internal dns server.
More information about the samba