[Samba] Domain password policy with Samba AD DC

Peter Milesson miles at atmos.eu
Wed Aug 30 16:56:48 UTC 2023 


On 30.08.2023 16:21, Rowland Penny via samba wrote:
> On Wed, 30 Aug 2023 12:40:08 +0200
> Peter Milesson via samba <samba at lists.samba.org> wrote:
>
>>
>> On 30.08.2023 11:58, Rowland Penny via samba wrote:
>>> On Wed, 30 Aug 2023 09:49:05 +0200
>>> Peter Milesson via samba <samba at lists.samba.org> wrote:
>>>
>>>> On 29.08.2023 21:38, Andrew Bartlett via samba wrote:
>>>>> On Tue, 2023-08-29 at 12:58 +0200, Peter Milesson via samba wrote:
>>>>>> On 27.08.2023 23:45, Andrew Bartlett wrote:
>>>>>>> On Sat, 2023-08-26 at 11:49 +0200, Peter Milesson via samba
>>>>>>> wrote:
>>>>>>>> Hi folks,
>>>>>>>> I just wonder why it is not possible to set domain password
>>>>>>>> policieswith GPO, using the Windows RSAT Group Policy Manager?
>>>>>>>> For mostothersettings, using GPOs through RSAT works.
>>>>>>>> For somebody who sets up a Samba AD DC infrequently, this is a
>>>>>>>> hugetrap. There should be a very visible warning on the AD DC
>>>>>>>> setup wikipage, that you *must* setup password policies with
>>>>>>>> samba-tool, ifyouplan to change the default password policies
>>>>>>>> (which I assume mostwilldo). It should also be very clearly
>>>>>>>> noted that it is not possible todothis with RSAT (as lots of
>>>>>>>> people will try that anyway). Thiswarningshould also be
>>>>>>>> displayed on the Group Policy wiki page. If there areother GPO
>>>>>>>> policies that can not be set with RSAT, those should
>>>>>>>> alsobelisted.
>>>>>>> Thanks Peter for reaching out on this,
>>>>>>> So, the challenge is that in the past, Samba didn't know how to
>>>>>>> readthese, and the settings were just ignored.
>>>>>>> Now it can, but given there are now existing domains, which
>>>>>>> settingshould be primary, the one in the DB or the one in the
>>>>>>> GPO? That is why the smb.conf setting "apply group policies"
>>>>>>> needs to be setto Yes if the GPO approach is to be taken.
>>>>>>> Feel free to ask for a wiki account to point out this if you
>>>>>>> feel itwould be helpful.
>>>>>>> Andrew Bartlett
>>>>>>>
>>>>>> Hi folks,
>>>>>> I've tried to get password policies setting using the Windows
>>>>>> GPMC from RSAT working. Unfortunately, no change. It just does
>>>>>> not work. Here is the smb.conf for the AD DC:
>>>>>> # Global parameters[global]         dns forwarder = 78.110.208.34
>>>>>>            netbios name = TESTADC1         realm = TESTDOM.TALPS
>>>>>> server role = active directory domain controller
>>>>>> workgroup = TESTDOM         idmap_ldb:use rfc2307 = yes
>>>>>> apply group policies = yes
>>>>>> [sysvol]         path = /var/lib/samba/sysvol         read only =
>>>>>> No [netlogon]         path
>>>>>> = /var/lib/samba/sysvol/testdom.talps/scripts read only = No
>>>>>> The only way to set password policies for the domain, still seems
>>>>>> to be through samba-tool domain passwordsettings and the
>>>>>> parameter "apply group policies" has got no effect at all.
>>>>>> If I create a gpresult.html file on a Windows member PC, it shows
>>>>>> the settings I have set with the Windows Group Policy Management
>>>>>> Editor (GPME), but when setting a password for a user in Active
>>>>>> Directory Users and Computers, the settings are not honored.
>>>>>> In GPME there is also the folder Samba\smb.conf, where the
>>>>>> different password policy parameters can be set. No effect at
>>>>>> all. In practice, this is not a big deal. You probably set the
>>>>>> domain password policies once, and forget about it.
>>>>>> I'm not going to waste more time on this. Just use samba-tool
>>>>>> domain passwordsettings for setting password policies, and forget
>>>>>> about GPMC.
>>>>> I would also note that the even better password polices - fine
>>>>> grained password policies - (password setting objects) were never
>>>>> available via GPMC and were always directly set to the directory.
>>>>> We have good tooling for that in samba-tool, plus whatever windows
>>>>> uses would edit the same LDAP attributes.
>>>>> Andrew Bartlett
>>>>>
>>>> Hi Andrew,
>>>>
>>>> Thanks for the information. In my setting, standard password
>>>> policies are sufficient.
>>>>
>>>> Is it possible to set password policies at all using GPMC from
>>>> RSAT? I did not succeed, as I wrote. It's not an important issue,
>>>> however it would have been nice to be able to use one tool for
>>>> everything. In a small setting like mine (about 40 users), I just
>>>> set it once with samba-tool, and that's it. I would be very
>>>> surprised if the need ever arises to change something there. I
>>>> would sooner expect that there will be requirements for other
>>>> types of authentication that are more secure in the not so far
>>>> future.
>>>>
>>>> Best regards,
>>>>
>>>> Peter
>>>>
>>>>
>>> This got my interest, so I did a little testing from a win10 VM and
>>> (for myself) GPME works up to a point.
>>>
>>> I followed David Mulder's instructions, though there were a few
>>> errors, I could easily set things in the GPME, but they didn't seem
>>> to affect AD. I turned of password complexity and set min password
>>> length to 8, this was not reflected in AD.
>>> I then wondered if it was altering sysvol, so I checked and:
>>>
>>> sudo
>>> cat /var/lib/samba/sysvol/samdom.example.com/Policies/'{31B2F340-016D-11D2-945F-00C04FB984F9}'/MACHINE/Microsoft/'Windows
>>> NT'/SecEdit/GptTmpl.inf ��[Unicode] Unicode=yes
>>> [Version]
>>> signature="$CHICAGO$"
>>> Revision=1
>>> [System Access]
>>> MinimumPasswordLength = 8
>>> PasswordComplexity = 0
>>> [Registry Values]
>>>
>>> And when I turned password complexity back on through GPME:
>>>
>>> ��[Unicode]
>>> Unicode=yes
>>> [Version]
>>> signature="$CHICAGO$"
>>> Revision=1
>>> [System Access]
>>> MinimumPasswordLength = 8
>>> PasswordComplexity = 1
>>> [Registry Values]
>>>
>>> So it looks like it is halfway there, it is creating the GPO in
>>> sysvol. I ran samba-gpupdate, but it either does nothing or crashes.
>>>
>>> Rowland
>>>
>> Hi Rowland,
>>
>> I set the parameter "apply group policies = yes" in smb.conf as
>> Andrew suggested (I even tried in GPME/Administrative
>> templats/Samba/smb.conf). Then I set password policies through GPME.
>> Every time I do something in GPMC/GPME, it seems that the permissions
>> under sysvol become disturbed (using samba-tool ntacl sysvolcheck),
>> but was fixed by a sysvolreset (this is another matter).
>> Subsequently, I checked up the entries in GPME, and they were exactly
>> as I had set them with GPME. Running a GPRESULT in Windows showed
>> that policies set with GPME were applied. Running "samba-tool domain
>> passwordsettings show", does not reflect anything set with
>> GPME.gpo_version Testing by adding a new user to AD, confirms that
>> the samba-tool settings are those that get applied, not what I set
>> with GPME. A bit weird.
>>
>> Presently, the problem is more of an academic nature. I can live with
>> that, as it's more like set and forget. I may have forgot something
>> essential, but I don't think so. I guess this needs a bit more work
>> in the code. Nothing high priority, I guess, as it's not a show
>> stopper. But it should be duly noted in the Wiki.
>>
>> Best regards,
>>
>> Peter
> The problem is, from my point of view, David Mulder created a document
> about Samba and GPOs, part of which seems to suggest that, at some
> time, setting password attributes with GPME worked, well, I cannot get
> to work now.
>
> After reading the code for gpclass.py, it looks like the python code
> looks for 'version' in a cache file, this cache file is empty,
> probably because the domain controllers GPO is an empty GPO when
> first created. This does lead to a question, AD GPOs are stored on
> disk in sysvol and also in AD, so why does Samba require yet another
> copy in a cache ?
>
> If I change the output of 'gpo_version' from gpclass.py to return an
> integer, samba-gpupdate no longer crashes, it still doesn't work, but
> it no longer crashes.
>
> Rowland
>     
>
>
Hi Rowland,

I would like to have Andrew's comments about this (and if possible, also 
from David Mulder). Obviously, it does not work.

I don't get any errors at all, no crashes, nothing in the journal, nor 
in the Samba logs (Debian Bookworm 12.1, Samba 4.18.6 from 
bookworm-backports).

I'm not particularly at home in python programming, and have got nothing 
to add here. But I love to tinker with things that do not work. At the 
moment however, I'm quite time constrained, otherwise I'd give it a shot...

Best regards

Peter

More information about the samba mailing list