[Samba] Domain password policy with Samba AD DC
miles at atmos.eu
Wed Aug 30 07:49:05 UTC 2023
On 29.08.2023 21:38, Andrew Bartlett via samba wrote:
> On Tue, 2023-08-29 at 12:58 +0200, Peter Milesson via samba wrote:
>> On 27.08.2023 23:45, Andrew Bartlett wrote:
>>> On Sat, 2023-08-26 at 11:49 +0200, Peter Milesson via samba wrote:
>>>> Hi folks,
>>>> I just wonder why it is not possible to set domain password
>>>> policieswith GPO, using the Windows RSAT Group Policy Manager?
>>>> For mostothersettings, using GPOs through RSAT works.
>>>> For somebody who sets up a Samba AD DC infrequently, this is a
>>>> hugetrap. There should be a very visible warning on the AD DC
>>>> setup wikipage, that you *must* setup password policies with
>>>> samba-tool, ifyouplan to change the default password policies
>>>> (which I assume mostwilldo). It should also be very clearly noted
>>>> that it is not possible todothis with RSAT (as lots of people
>>>> will try that anyway). Thiswarningshould also be displayed on the
>>>> Group Policy wiki page. If there areother GPO policies that can
>>>> not be set with RSAT, those should alsobelisted.
>>> Thanks Peter for reaching out on this,
>>> So, the challenge is that in the past, Samba didn't know how to
>>> readthese, and the settings were just ignored.
>>> Now it can, but given there are now existing domains, which
>>> settingshould be primary, the one in the DB or the one in the GPO?
>>> That is why the smb.conf setting "apply group policies" needs to be
>>> setto Yes if the GPO approach is to be taken.
>>> Feel free to ask for a wiki account to point out this if you feel
>>> itwould be helpful.
>>> Andrew Bartlett
>> Hi folks,
>> I've tried to get password policies setting using the Windows GPMC
>> from RSAT working. Unfortunately, no change. It just does not work.
>> Here is the smb.conf for the AD DC:
>> # Global parameters[global] dns forwarder = 184.108.40.206
>> netbios name = TESTADC1 realm = TESTDOM.TALPS
>> server role = active directory domain controller workgroup =
>> TESTDOM idmap_ldb:use rfc2307 = yes apply group
>> policies = yes
>> [sysvol] path = /var/lib/samba/sysvol read only = No
>> [netlogon] path = /var/lib/samba/sysvol/testdom.talps/scripts
>> read only = No
>> The only way to set password policies for the domain, still seems to
>> be through samba-tool domain passwordsettings and the parameter
>> "apply group policies" has got no effect at all.
>> If I create a gpresult.html file on a Windows member PC, it shows the
>> settings I have set with the Windows Group Policy Management Editor
>> (GPME), but when setting a password for a user in Active Directory
>> Users and Computers, the settings are not honored.
>> In GPME there is also the folder Samba\smb.conf, where the different
>> password policy parameters can be set. No effect at all.
>> In practice, this is not a big deal. You probably set the domain
>> password policies once, and forget about it.
>> I'm not going to waste more time on this. Just use samba-tool domain
>> passwordsettings for setting password policies, and forget about
> I would also note that the even better password polices - fine grained
> password policies - (password setting objects) were never available via
> GPMC and were always directly set to the directory.
> We have good tooling for that in samba-tool, plus whatever windows uses
> would edit the same LDAP attributes.
> Andrew Bartlett
Thanks for the information. In my setting, standard password policies
Is it possible to set password policies at all using GPMC from RSAT? I
did not succeed, as I wrote. It's not an important issue, however it
would have been nice to be able to use one tool for everything. In a
small setting like mine (about 40 users), I just set it once with
samba-tool, and that's it. I would be very surprised if the need ever
arises to change something there. I would sooner expect that there will
be requirements for other types of authentication that are more secure
in the not so far future.
More information about the samba