[Samba] Domain password policy with Samba AD DC
Rowland Penny
rpenny at samba.org
Wed Aug 30 17:17:41 UTC 2023
On Wed, 30 Aug 2023 18:56:48 +0200
Peter Milesson via samba <samba at lists.samba.org> wrote:
>
>
> On 30.08.2023 16:21, Rowland Penny via samba wrote:
> > On Wed, 30 Aug 2023 12:40:08 +0200
> > Peter Milesson via samba <samba at lists.samba.org> wrote:
> >
> >>
> >> On 30.08.2023 11:58, Rowland Penny via samba wrote:
> >>> On Wed, 30 Aug 2023 09:49:05 +0200
> >>> Peter Milesson via samba <samba at lists.samba.org> wrote:
> >>>
> >>>> On 29.08.2023 21:38, Andrew Bartlett via samba wrote:
> >>>>> On Tue, 2023-08-29 at 12:58 +0200, Peter Milesson via samba
> >>>>> wrote:
> >>>>>> On 27.08.2023 23:45, Andrew Bartlett wrote:
> >>>>>>> On Sat, 2023-08-26 at 11:49 +0200, Peter Milesson via samba
> >>>>>>> wrote:
> >>>>>>>> Hi folks,
> >>>>>>>> I just wonder why it is not possible to set domain password
> >>>>>>>> policieswith GPO, using the Windows RSAT Group Policy
> >>>>>>>> Manager? For mostothersettings, using GPOs through RSAT
> >>>>>>>> works. For somebody who sets up a Samba AD DC infrequently,
> >>>>>>>> this is a hugetrap. There should be a very visible warning
> >>>>>>>> on the AD DC setup wikipage, that you *must* setup password
> >>>>>>>> policies with samba-tool, ifyouplan to change the default
> >>>>>>>> password policies (which I assume mostwilldo). It should
> >>>>>>>> also be very clearly noted that it is not possible todothis
> >>>>>>>> with RSAT (as lots of people will try that anyway).
> >>>>>>>> Thiswarningshould also be displayed on the Group Policy wiki
> >>>>>>>> page. If there areother GPO policies that can not be set
> >>>>>>>> with RSAT, those should alsobelisted.
> >>>>>>> Thanks Peter for reaching out on this,
> >>>>>>> So, the challenge is that in the past, Samba didn't know how
> >>>>>>> to readthese, and the settings were just ignored.
> >>>>>>> Now it can, but given there are now existing domains, which
> >>>>>>> settingshould be primary, the one in the DB or the one in the
> >>>>>>> GPO? That is why the smb.conf setting "apply group policies"
> >>>>>>> needs to be setto Yes if the GPO approach is to be taken.
> >>>>>>> Feel free to ask for a wiki account to point out this if you
> >>>>>>> feel itwould be helpful.
> >>>>>>> Andrew Bartlett
> >>>>>>>
> >>>>>> Hi folks,
> >>>>>> I've tried to get password policies setting using the Windows
> >>>>>> GPMC from RSAT working. Unfortunately, no change. It just does
> >>>>>> not work. Here is the smb.conf for the AD DC:
> >>>>>> # Global parameters[global] dns forwarder =
> >>>>>> 78.110.208.34 netbios name = TESTADC1 realm =
> >>>>>> TESTDOM.TALPS server role = active directory domain controller
> >>>>>> workgroup = TESTDOM idmap_ldb:use rfc2307 = yes
> >>>>>> apply group policies = yes
> >>>>>> [sysvol] path = /var/lib/samba/sysvol read
> >>>>>> only = No [netlogon] path
> >>>>>> = /var/lib/samba/sysvol/testdom.talps/scripts read only = No
> >>>>>> The only way to set password policies for the domain, still
> >>>>>> seems to be through samba-tool domain passwordsettings and the
> >>>>>> parameter "apply group policies" has got no effect at all.
> >>>>>> If I create a gpresult.html file on a Windows member PC, it
> >>>>>> shows the settings I have set with the Windows Group Policy
> >>>>>> Management Editor (GPME), but when setting a password for a
> >>>>>> user in Active Directory Users and Computers, the settings are
> >>>>>> not honored. In GPME there is also the folder Samba\smb.conf,
> >>>>>> where the different password policy parameters can be set. No
> >>>>>> effect at all. In practice, this is not a big deal. You
> >>>>>> probably set the domain password policies once, and forget
> >>>>>> about it. I'm not going to waste more time on this. Just use
> >>>>>> samba-tool domain passwordsettings for setting password
> >>>>>> policies, and forget about GPMC.
> >>>>> I would also note that the even better password polices - fine
> >>>>> grained password policies - (password setting objects) were
> >>>>> never available via GPMC and were always directly set to the
> >>>>> directory. We have good tooling for that in samba-tool, plus
> >>>>> whatever windows uses would edit the same LDAP attributes.
> >>>>> Andrew Bartlett
> >>>>>
> >>>> Hi Andrew,
> >>>>
> >>>> Thanks for the information. In my setting, standard password
> >>>> policies are sufficient.
> >>>>
> >>>> Is it possible to set password policies at all using GPMC from
> >>>> RSAT? I did not succeed, as I wrote. It's not an important issue,
> >>>> however it would have been nice to be able to use one tool for
> >>>> everything. In a small setting like mine (about 40 users), I just
> >>>> set it once with samba-tool, and that's it. I would be very
> >>>> surprised if the need ever arises to change something there. I
> >>>> would sooner expect that there will be requirements for other
> >>>> types of authentication that are more secure in the not so far
> >>>> future.
> >>>>
> >>>> Best regards,
> >>>>
> >>>> Peter
> >>>>
> >>>>
> >>> This got my interest, so I did a little testing from a win10 VM
> >>> and (for myself) GPME works up to a point.
> >>>
> >>> I followed David Mulder's instructions, though there were a few
> >>> errors, I could easily set things in the GPME, but they didn't
> >>> seem to affect AD. I turned of password complexity and set min
> >>> password length to 8, this was not reflected in AD.
> >>> I then wondered if it was altering sysvol, so I checked and:
> >>>
> >>> sudo
> >>> cat /var/lib/samba/sysvol/samdom.example.com/Policies/'{31B2F340-016D-11D2-945F-00C04FB984F9}'/MACHINE/Microsoft/'Windows
> >>> NT'/SecEdit/GptTmpl.inf ��[Unicode] Unicode=yes
> >>> [Version]
> >>> signature="$CHICAGO$"
> >>> Revision=1
> >>> [System Access]
> >>> MinimumPasswordLength = 8
> >>> PasswordComplexity = 0
> >>> [Registry Values]
> >>>
> >>> And when I turned password complexity back on through GPME:
> >>>
> >>> ��[Unicode]
> >>> Unicode=yes
> >>> [Version]
> >>> signature="$CHICAGO$"
> >>> Revision=1
> >>> [System Access]
> >>> MinimumPasswordLength = 8
> >>> PasswordComplexity = 1
> >>> [Registry Values]
> >>>
> >>> So it looks like it is halfway there, it is creating the GPO in
> >>> sysvol. I ran samba-gpupdate, but it either does nothing or
> >>> crashes.
> >>>
> >>> Rowland
> >>>
> >> Hi Rowland,
> >>
> >> I set the parameter "apply group policies = yes" in smb.conf as
> >> Andrew suggested (I even tried in GPME/Administrative
> >> templats/Samba/smb.conf). Then I set password policies through
> >> GPME. Every time I do something in GPMC/GPME, it seems that the
> >> permissions under sysvol become disturbed (using samba-tool ntacl
> >> sysvolcheck), but was fixed by a sysvolreset (this is another
> >> matter). Subsequently, I checked up the entries in GPME, and they
> >> were exactly as I had set them with GPME. Running a GPRESULT in
> >> Windows showed that policies set with GPME were applied. Running
> >> "samba-tool domain passwordsettings show", does not reflect
> >> anything set with GPME.gpo_version Testing by adding a new user to
> >> AD, confirms that the samba-tool settings are those that get
> >> applied, not what I set with GPME. A bit weird.
> >>
> >> Presently, the problem is more of an academic nature. I can live
> >> with that, as it's more like set and forget. I may have forgot
> >> something essential, but I don't think so. I guess this needs a
> >> bit more work in the code. Nothing high priority, I guess, as it's
> >> not a show stopper. But it should be duly noted in the Wiki.
> >>
> >> Best regards,
> >>
> >> Peter
> > The problem is, from my point of view, David Mulder created a
> > document about Samba and GPOs, part of which seems to suggest that,
> > at some time, setting password attributes with GPME worked, well, I
> > cannot get to work now.
> >
> > After reading the code for gpclass.py, it looks like the python code
> > looks for 'version' in a cache file, this cache file is empty,
> > probably because the domain controllers GPO is an empty GPO when
> > first created. This does lead to a question, AD GPOs are stored on
> > disk in sysvol and also in AD, so why does Samba require yet another
> > copy in a cache ?
> >
> > If I change the output of 'gpo_version' from gpclass.py to return an
> > integer, samba-gpupdate no longer crashes, it still doesn't work,
> > but it no longer crashes.
> >
> > Rowland
> >
> >
> >
> Hi Rowland,
>
> I would like to have Andrew's comments about this (and if possible,
> also from David Mulder). Obviously, it does not work.
Hi Peter,
I think we need to hear from David, he has done some amazing work on
Samba and GPOs, including creating the document I linked to. That
document seems to indicate that modifying the default Domain
Controllers Policy did, at sometime, work, as You and I know, it
doesn't now.
>
> I don't get any errors at all, no crashes, nothing in the journal,
> nor in the Samba logs (Debian Bookworm 12.1, Samba 4.18.6 from
> bookworm-backports).
If I try to alter the default Domain Controllers policy via GPME,
whilst GPME shows and retains the changes, nothing changes in AD.
There are changes in sysvol, but these changes seem to require that
sysvolreset is run. If I then run samba-gpupdate, I get this:
Traceback (most recent call last):
File "/usr/sbin/samba-gpupdate", line 133, in <module>
apply_gp(lp, creds, store, gp_extensions, username,
File "/usr/lib/python3/dist-packages/samba/gp/gpclass.py", line 481, in apply_gp
version = gpo_version(lp, path)
File "/usr/lib/python3/dist-packages/samba/gp/gpclass.py", line 431, in gpo_version
return int(gpo.gpo_get_sysvol_gpt_version(gpt_path)[1])
samba.NTSTATUSError: (3221225700, 'This error indicates that the requested operation cannot be completed due to a catastrophic media failure or an on-disk data structure corruption.')
I traced this (or so I believe) to the python program trying to read
from an empty cache.
>
> I'm not particularly at home in python programming, and have got
> nothing to add here. But I love to tinker with things that do not
> work. At the moment however, I'm quite time constrained, otherwise
> I'd give it a shot...
I know a little bit about python (not an expert by any means) but for
reasons I will not go into here, I will not attempt to fix this.
Rowland
More information about the samba
mailing list