[Samba] Domain password policy with Samba AD DC

Rowland Penny rpenny at samba.org
Wed Aug 30 14:21:44 UTC 2023 

On Wed, 30 Aug 2023 12:40:08 +0200
Peter Milesson via samba <samba at lists.samba.org> wrote:

> 
> 
> On 30.08.2023 11:58, Rowland Penny via samba wrote:
> > On Wed, 30 Aug 2023 09:49:05 +0200
> > Peter Milesson via samba <samba at lists.samba.org> wrote:
> >
> >>
> >> On 29.08.2023 21:38, Andrew Bartlett via samba wrote:
> >>> On Tue, 2023-08-29 at 12:58 +0200, Peter Milesson via samba wrote:
> >>>> On 27.08.2023 23:45, Andrew Bartlett wrote:
> >>>>> On Sat, 2023-08-26 at 11:49 +0200, Peter Milesson via samba
> >>>>> wrote:
> >>>>>> Hi folks,
> >>>>>> I just wonder why it is not possible to set domain password
> >>>>>> policieswith GPO, using the Windows RSAT Group Policy Manager?
> >>>>>> For mostothersettings, using GPOs through RSAT works.
> >>>>>> For somebody who sets up a Samba AD DC infrequently, this is a
> >>>>>> hugetrap. There should be a very visible warning on the AD DC
> >>>>>> setup wikipage, that you *must* setup password policies with
> >>>>>> samba-tool, ifyouplan to change the default password policies
> >>>>>> (which I assume mostwilldo). It should also be very clearly
> >>>>>> noted that it is not possible todothis with RSAT (as lots of
> >>>>>> people will try that anyway). Thiswarningshould also be
> >>>>>> displayed on the Group Policy wiki page. If there areother GPO
> >>>>>> policies that can not be set with RSAT, those should
> >>>>>> alsobelisted.
> >>>>> Thanks Peter for reaching out on this,
> >>>>> So, the challenge is that in the past, Samba didn't know how to
> >>>>> readthese, and the settings were just ignored.
> >>>>> Now it can, but given there are now existing domains, which
> >>>>> settingshould be primary, the one in the DB or the one in the
> >>>>> GPO? That is why the smb.conf setting "apply group policies"
> >>>>> needs to be setto Yes if the GPO approach is to be taken.
> >>>>> Feel free to ask for a wiki account to point out this if you
> >>>>> feel itwould be helpful.
> >>>>> Andrew Bartlett
> >>>>>
> >>>> Hi folks,
> >>>> I've tried to get password policies setting using the Windows
> >>>> GPMC from RSAT working. Unfortunately, no change. It just does
> >>>> not work. Here is the smb.conf for the AD DC:
> >>>> # Global parameters[global]         dns forwarder = 78.110.208.34
> >>>>           netbios name = TESTADC1         realm = TESTDOM.TALPS
> >>>> server role = active directory domain controller
> >>>> workgroup = TESTDOM         idmap_ldb:use rfc2307 = yes
> >>>> apply group policies = yes
> >>>> [sysvol]         path = /var/lib/samba/sysvol         read only =
> >>>> No [netlogon]         path
> >>>> = /var/lib/samba/sysvol/testdom.talps/scripts read only = No
> >>>> The only way to set password policies for the domain, still seems
> >>>> to be through samba-tool domain passwordsettings and the
> >>>> parameter "apply group policies" has got no effect at all.
> >>>> If I create a gpresult.html file on a Windows member PC, it shows
> >>>> the settings I have set with the Windows Group Policy Management
> >>>> Editor (GPME), but when setting a password for a user in Active
> >>>> Directory Users and Computers, the settings are not honored.
> >>>> In GPME there is also the folder Samba\smb.conf, where the
> >>>> different password policy parameters can be set. No effect at
> >>>> all. In practice, this is not a big deal. You probably set the
> >>>> domain password policies once, and forget about it.
> >>>> I'm not going to waste more time on this. Just use samba-tool
> >>>> domain passwordsettings for setting password policies, and forget
> >>>> about GPMC.
> >>> I would also note that the even better password polices - fine
> >>> grained password policies - (password setting objects) were never
> >>> available via GPMC and were always directly set to the directory.
> >>> We have good tooling for that in samba-tool, plus whatever windows
> >>> uses would edit the same LDAP attributes.
> >>> Andrew Bartlett
> >>>
> >> Hi Andrew,
> >>
> >> Thanks for the information. In my setting, standard password
> >> policies are sufficient.
> >>
> >> Is it possible to set password policies at all using GPMC from
> >> RSAT? I did not succeed, as I wrote. It's not an important issue,
> >> however it would have been nice to be able to use one tool for
> >> everything. In a small setting like mine (about 40 users), I just
> >> set it once with samba-tool, and that's it. I would be very
> >> surprised if the need ever arises to change something there. I
> >> would sooner expect that there will be requirements for other
> >> types of authentication that are more secure in the not so far
> >> future.
> >>
> >> Best regards,
> >>
> >> Peter
> >>
> >>
> > This got my interest, so I did a little testing from a win10 VM and
> > (for myself) GPME works up to a point.
> >
> > I followed David Mulder's instructions, though there were a few
> > errors, I could easily set things in the GPME, but they didn't seem
> > to affect AD. I turned of password complexity and set min password
> > length to 8, this was not reflected in AD.
> > I then wondered if it was altering sysvol, so I checked and:
> >
> > sudo
> > cat /var/lib/samba/sysvol/samdom.example.com/Policies/'{31B2F340-016D-11D2-945F-00C04FB984F9}'/MACHINE/Microsoft/'Windows
> > NT'/SecEdit/GptTmpl.inf ��[Unicode] Unicode=yes
> > [Version]
> > signature="$CHICAGO$"
> > Revision=1
> > [System Access]
> > MinimumPasswordLength = 8
> > PasswordComplexity = 0
> > [Registry Values]
> >
> > And when I turned password complexity back on through GPME:
> >
> > ��[Unicode]
> > Unicode=yes
> > [Version]
> > signature="$CHICAGO$"
> > Revision=1
> > [System Access]
> > MinimumPasswordLength = 8
> > PasswordComplexity = 1
> > [Registry Values]
> >
> > So it looks like it is halfway there, it is creating the GPO in
> > sysvol. I ran samba-gpupdate, but it either does nothing or crashes.
> >
> > Rowland
> >
> Hi Rowland,
> 
> I set the parameter "apply group policies = yes" in smb.conf as
> Andrew suggested (I even tried in GPME/Administrative
> templats/Samba/smb.conf). Then I set password policies through GPME.
> Every time I do something in GPMC/GPME, it seems that the permissions
> under sysvol become disturbed (using samba-tool ntacl sysvolcheck),
> but was fixed by a sysvolreset (this is another matter).
> Subsequently, I checked up the entries in GPME, and they were exactly
> as I had set them with GPME. Running a GPRESULT in Windows showed
> that policies set with GPME were applied. Running "samba-tool domain
> passwordsettings show", does not reflect anything set with
> GPME.gpo_version Testing by adding a new user to AD, confirms that
> the samba-tool settings are those that get applied, not what I set
> with GPME. A bit weird.
> 
> Presently, the problem is more of an academic nature. I can live with 
> that, as it's more like set and forget. I may have forgot something 
> essential, but I don't think so. I guess this needs a bit more work
> in the code. Nothing high priority, I guess, as it's not a show
> stopper. But it should be duly noted in the Wiki.
> 
> Best regards,
> 
> Peter

The problem is, from my point of view, David Mulder created a document
about Samba and GPOs, part of which seems to suggest that, at some
time, setting password attributes with GPME worked, well, I cannot get
to work now.

After reading the code for gpclass.py, it looks like the python code
looks for 'version' in a cache file, this cache file is empty,
probably because the domain controllers GPO is an empty GPO when
first created. This does lead to a question, AD GPOs are stored on
disk in sysvol and also in AD, so why does Samba require yet another
copy in a cache ?

If I change the output of 'gpo_version' from gpclass.py to return an
integer, samba-gpupdate no longer crashes, it still doesn't work, but
it no longer crashes.

Rowland

More information about the samba mailing list