[Samba] Domain password policy with Samba AD DC

Andrew Bartlett abartlet at samba.org
Sun Aug 27 21:45:47 UTC 2023

On Sat, 2023-08-26 at 11:49 +0200, Peter Milesson via samba wrote:
> Hi folks,
> I just wonder why it is not possible to set domain password policies 
> with GPO, using the Windows RSAT Group Policy Manager? For most
> other 
> settings, using GPOs through RSAT works.
> For somebody who sets up a Samba AD DC infrequently, this is a huge 
> trap. There should be a very visible warning on the AD DC setup wiki 
> page, that you *must* setup password policies with samba-tool, if
> you 
> plan to change the default password policies (which I assume most
> will 
> do). It should also be very clearly noted that it is not possible to
> do 
> this with RSAT (as lots of people will try that anyway). This
> warning 
> should also be displayed on the Group Policy wiki page. If there are 
> other GPO policies that can not be set with RSAT, those should also
> be 
> listed.

Thanks Peter for reaching out on this,

So, the challenge is that in the past, Samba didn't know how to read
these, and the settings were just ignored.

Now it can, but given there are now existing domains, which setting
should be primary, the one in the DB or the one in the GPO?

That is why the smb.conf setting "apply group policies" needs to be set
to Yes if the GPO approach is to be taken. 

Feel free to ask for a wiki account to point out this if you feel it
would be helpful.

Andrew Bartlett

Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead                https://catalyst.net.nz/services/samba
Catalyst.Net Ltd

Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group

Samba Development and Support: https://catalyst.net.nz/services/samba

Catalyst IT - Expert Open Source Solutions

More information about the samba mailing list