[Samba] Domain password policy with Samba AD DC

[Peter Milesson]

On 27.08.2023 23:45, Andrew Bartlett via samba wrote:
> On Sat, 2023-08-26 at 11:49 +0200, Peter Milesson via samba wrote:
>> Hi folks,
>>
>> I just wonder why it is not possible to set domain password policies
>> with GPO, using the Windows RSAT Group Policy Manager? For most
>> other
>> settings, using GPOs through RSAT works.
>>
>> For somebody who sets up a Samba AD DC infrequently, this is a huge
>> trap. There should be a very visible warning on the AD DC setup wiki
>> page, that you *must* setup password policies with samba-tool, if
>> you
>> plan to change the default password policies (which I assume most
>> will
>> do). It should also be very clearly noted that it is not possible to
>> do
>> this with RSAT (as lots of people will try that anyway). This
>> warning
>> should also be displayed on the Group Policy wiki page. If there are
>> other GPO policies that can not be set with RSAT, those should also
>> be
>> listed.
> Thanks Peter for reaching out on this,
>
> So, the challenge is that in the past, Samba didn't know how to read
> these, and the settings were just ignored.
>
> Now it can, but given there are now existing domains, which setting
> should be primary, the one in the DB or the one in the GPO?
>
> That is why the smb.conf setting "apply group policies" needs to be set
> to Yes if the GPO approach is to be taken.
>
> Feel free to ask for a wiki account to point out this if you feel it
> would be helpful.
>
> Andrew Bartlett
>
>
Hi Andrew,

Many thanks for the information. I guess, which of the methods for 
setting password policies depends on local conditions, and admin 
preferences and experience. In a mainly Windows oriented domain, setting 
things through the GPMC would be the preferred way, and in a mixed, or 
Linux oriented domain, with samba-tool.

What I pointed out in my original post was, the absence of information 
about GPO handling in the Samba wiki, when setting up a new AD DC. IMHO 
this information is absolutely essential for successful domain 
operations with Windows. Even in a fairly small domain with a Samba AD 
DC, a server (Samba or Windows), and a few workstations, operations will 
be quite impaired without applying at least a few essential GPOs. In my 
particular case, folder redirection, and a few other things. I couldn't 
imagine setting up the domain without GPOs, and it would end up in a 
horrible mess.

So, just a few lines and a link to the GPO wiki page in the instructions 
for setting up a Samba AD DC, will be sufficient. In the GPO wiki page, 
your information about the "apply group policies" should not be missing, 
as well as a link to David Mulder's GPO "bible" 
(https://dmulder.github.io/group-policy-book/sec.html), which Rowland 
kindly pointed out.

Once again, many thanks, it helps a lot.

Best regards,

Peter