[Samba] Domain password policy with Samba AD DC

Peter Milesson miles at atmos.eu
Sat Aug 26 19:00:53 UTC 2023

On 26.08.2023 19:54, Rowland Penny via samba wrote:
> On Sat, 26 Aug 2023 19:03:19 +0200
> Peter Milesson via samba <samba at lists.samba.org> wrote:
>> On 26.08.2023 18:13, Rowland Penny via samba wrote:
>>> On Sat, 26 Aug 2023 18:02:44 +0200
>>> Peter Milesson via samba <samba at lists.samba.org> wrote:
>>>> Hi Anantha,
>>> Why do I get the feeling I missed something here ?
>>>> I now know (the hard way) that it's possible to manage the password
>>>> policies with samba-tool. But through my futile trials and
>>>> information on different web sites (very little documentation in
>>>> the Samba wiki), it is evident that it's not possible using Group
>>>> Policy Manager from the RSAT tool suite. IMHO, it's quite
>>>> perplexing for a user that does not know Samba AD DC configuration
>>>> extremely well.
>>>> If you have got a workaround, allowing the use of the RSAT Group
>>>> Policy Manager, I, and probably many other, would be happy to get
>>>> some information how this is done.
>>> Have you read this:
>>> https://dmulder.github.io/group-policy-book/sec.html
>>> Rowland
>> Hi Rowland,
>> Thanks for the link. I will study it with interest.
>> However, I'm setting up a Windows only test domain, the only Linux
>> box is the Samba DC, and I will try using the RSAT tool suite as far
>> as possible. Trying to set the password policies for the domain with
>> the Windows GPME (logged in as domain\administrator), got me
>> absolutely nowhere. Setting the policies using samba-tool worked.
>> Reading through previous posts on the Samba list, the only way seems
>> to be using samba-tool, unless I missed something essential. The ADMX
>> templates both for Samba and for Windows 10 22H2 have been loaded.
>> What I'm trying to point out, is that there isn't one word about
>> setting GPOs in the Wiki page with instructions for setting up a AD
>> DC. The book in the link definitely deserves to be mentioned on that
>> page.
>> I'm going to study the book, and see if I get it working with GPMC.
>> Best regards,
>> Peter
> I do not use GPOs, so know little about them, not enough to even think
> about altering the Samba wiki, but if you feel that something needs
> changing, then please make any changes required.
> The information I linked to was written by David Mulder,
> who it would seem is the Samba GPO guru and he seems to think that
> using the GPME works, if it doesn't, then this is probably a bug, so if
> necessary, please open a bug report.
> Rowland
Hi Rowland,

I would like to wait until the beginning of next week to get some more 
input on this. I'm not a Samba expert, and if it seems I have forgot 
something obvious, that needs to be straightened out first. What little 
information I succeeded to pick up, indicates that the only way to 
change domain password policies is through samba-tool. I may be wrong, 
and it also possible I hit a bug as you noted.

I am using Debian Bookworm, Samba 4.18.6 from bookworm-backports.

Thanks for your help so far.


More information about the samba mailing list