[Samba] Domain password policy with Samba AD DC

Peter Milesson miles at atmos.eu
Wed Aug 30 17:47:16 UTC 2023

On 30.08.2023 19:17, Rowland Penny via samba wrote:
> On Wed, 30 Aug 2023 18:56:48 +0200
> Peter Milesson via samba <samba at lists.samba.org> wrote:
>> On 30.08.2023 16:21, Rowland Penny via samba wrote:
>>> On Wed, 30 Aug 2023 12:40:08 +0200
>>> Peter Milesson via samba <samba at lists.samba.org> wrote:
>>>> On 30.08.2023 11:58, Rowland Penny via samba wrote:
>>>>> On Wed, 30 Aug 2023 09:49:05 +0200
>>>>> Peter Milesson via samba <samba at lists.samba.org> wrote:
>>>>>> On 29.08.2023 21:38, Andrew Bartlett via samba wrote:
>>>>>>> On Tue, 2023-08-29 at 12:58 +0200, Peter Milesson via samba
>>>>>>> wrote:
>>>>>>>> On 27.08.2023 23:45, Andrew Bartlett wrote:
>>>>>>>>> On Sat, 2023-08-26 at 11:49 +0200, Peter Milesson via samba
>>>>>>>>> wrote:
>>>>>>>>>> Hi folks,
>>>>>>>>>> I just wonder why it is not possible to set domain password
>>>>>>>>>> policieswith GPO, using the Windows RSAT Group Policy
>>>>>>>>>> Manager? For mostothersettings, using GPOs through RSAT
>>>>>>>>>> works. For somebody who sets up a Samba AD DC infrequently,
>>>>>>>>>> this is a hugetrap. There should be a very visible warning
>>>>>>>>>> on the AD DC setup wikipage, that you *must* setup password
>>>>>>>>>> policies with samba-tool, ifyouplan to change the default
>>>>>>>>>> password policies (which I assume mostwilldo). It should
>>>>>>>>>> also be very clearly noted that it is not possible todothis
>>>>>>>>>> with RSAT (as lots of people will try that anyway).
>>>>>>>>>> Thiswarningshould also be displayed on the Group Policy wiki
>>>>>>>>>> page. If there areother GPO policies that can not be set
>>>>>>>>>> with RSAT, those should alsobelisted.
>>>>>>>>> Thanks Peter for reaching out on this,
>>>>>>>>> So, the challenge is that in the past, Samba didn't know how
>>>>>>>>> to readthese, and the settings were just ignored.
>>>>>>>>> Now it can, but given there are now existing domains, which
>>>>>>>>> settingshould be primary, the one in the DB or the one in the
>>>>>>>>> GPO? That is why the smb.conf setting "apply group policies"
>>>>>>>>> needs to be setto Yes if the GPO approach is to be taken.
>>>>>>>>> Feel free to ask for a wiki account to point out this if you
>>>>>>>>> feel itwould be helpful.
>>>>>>>>> Andrew Bartlett
>>>>>>>> Hi folks,
>>>>>>>> I've tried to get password policies setting using the Windows
>>>>>>>> GPMC from RSAT working. Unfortunately, no change. It just does
>>>>>>>> not work. Here is the smb.conf for the AD DC:
>>>>>>>> # Global parameters[global]         dns forwarder =
>>>>>>>> netbios name = TESTADC1         realm =
>>>>>>>> TESTDOM.TALPS server role = active directory domain controller
>>>>>>>> workgroup = TESTDOM         idmap_ldb:use rfc2307 = yes
>>>>>>>> apply group policies = yes
>>>>>>>> [sysvol]         path = /var/lib/samba/sysvol         read
>>>>>>>> only = No [netlogon]         path
>>>>>>>> = /var/lib/samba/sysvol/testdom.talps/scripts read only = No
>>>>>>>> The only way to set password policies for the domain, still
>>>>>>>> seems to be through samba-tool domain passwordsettings and the
>>>>>>>> parameter "apply group policies" has got no effect at all.
>>>>>>>> If I create a gpresult.html file on a Windows member PC, it
>>>>>>>> shows the settings I have set with the Windows Group Policy
>>>>>>>> Management Editor (GPME), but when setting a password for a
>>>>>>>> user in Active Directory Users and Computers, the settings are
>>>>>>>> not honored. In GPME there is also the folder Samba\smb.conf,
>>>>>>>> where the different password policy parameters can be set. No
>>>>>>>> effect at all. In practice, this is not a big deal. You
>>>>>>>> probably set the domain password policies once, and forget
>>>>>>>> about it. I'm not going to waste more time on this. Just use
>>>>>>>> samba-tool domain passwordsettings for setting password
>>>>>>>> policies, and forget about GPMC.
>>>>>>> I would also note that the even better password polices - fine
>>>>>>> grained password policies - (password setting objects) were
>>>>>>> never available via GPMC and were always directly set to the
>>>>>>> directory. We have good tooling for that in samba-tool, plus
>>>>>>> whatever windows uses would edit the same LDAP attributes.
>>>>>>> Andrew Bartlett
>>>>>> Hi Andrew,
>>>>>> Thanks for the information. In my setting, standard password
>>>>>> policies are sufficient.
>>>>>> Is it possible to set password policies at all using GPMC from
>>>>>> RSAT? I did not succeed, as I wrote. It's not an important issue,
>>>>>> however it would have been nice to be able to use one tool for
>>>>>> everything. In a small setting like mine (about 40 users), I just
>>>>>> set it once with samba-tool, and that's it. I would be very
>>>>>> surprised if the need ever arises to change something there. I
>>>>>> would sooner expect that there will be requirements for other
>>>>>> types of authentication that are more secure in the not so far
>>>>>> future.
>>>>>> Best regards,
>>>>>> Peter
>>>>> This got my interest, so I did a little testing from a win10 VM
>>>>> and (for myself) GPME works up to a point.
>>>>> I followed David Mulder's instructions, though there were a few
>>>>> errors, I could easily set things in the GPME, but they didn't
>>>>> seem to affect AD. I turned of password complexity and set min
>>>>> password length to 8, this was not reflected in AD.
>>>>> I then wondered if it was altering sysvol, so I checked and:
>>>>> sudo
>>>>> cat /var/lib/samba/sysvol/samdom.example.com/Policies/'{31B2F340-016D-11D2-945F-00C04FB984F9}'/MACHINE/Microsoft/'Windows
>>>>> NT'/SecEdit/GptTmpl.inf ��[Unicode] Unicode=yes
>>>>> [Version]
>>>>> signature="$CHICAGO$"
>>>>> Revision=1
>>>>> [System Access]
>>>>> MinimumPasswordLength = 8
>>>>> PasswordComplexity = 0
>>>>> [Registry Values]
>>>>> And when I turned password complexity back on through GPME:
>>>>> ��[Unicode]
>>>>> Unicode=yes
>>>>> [Version]
>>>>> signature="$CHICAGO$"
>>>>> Revision=1
>>>>> [System Access]
>>>>> MinimumPasswordLength = 8
>>>>> PasswordComplexity = 1
>>>>> [Registry Values]
>>>>> So it looks like it is halfway there, it is creating the GPO in
>>>>> sysvol. I ran samba-gpupdate, but it either does nothing or
>>>>> crashes.
>>>>> Rowland
>>>> Hi Rowland,
>>>> I set the parameter "apply group policies = yes" in smb.conf as
>>>> Andrew suggested (I even tried in GPME/Administrative
>>>> templats/Samba/smb.conf). Then I set password policies through
>>>> GPME. Every time I do something in GPMC/GPME, it seems that the
>>>> permissions under sysvol become disturbed (using samba-tool ntacl
>>>> sysvolcheck), but was fixed by a sysvolreset (this is another
>>>> matter). Subsequently, I checked up the entries in GPME, and they
>>>> were exactly as I had set them with GPME. Running a GPRESULT in
>>>> Windows showed that policies set with GPME were applied. Running
>>>> "samba-tool domain passwordsettings show", does not reflect
>>>> anything set with GPME.gpo_version Testing by adding a new user to
>>>> AD, confirms that the samba-tool settings are those that get
>>>> applied, not what I set with GPME. A bit weird.
>>>> Presently, the problem is more of an academic nature. I can live
>>>> with that, as it's more like set and forget. I may have forgot
>>>> something essential, but I don't think so. I guess this needs a
>>>> bit more work in the code. Nothing high priority, I guess, as it's
>>>> not a show stopper. But it should be duly noted in the Wiki.
>>>> Best regards,
>>>> Peter
>>> The problem is, from my point of view, David Mulder created a
>>> document about Samba and GPOs, part of which seems to suggest that,
>>> at some time, setting password attributes with GPME worked, well, I
>>> cannot get to work now.
>>> After reading the code for gpclass.py, it looks like the python code
>>> looks for 'version' in a cache file, this cache file is empty,
>>> probably because the domain controllers GPO is an empty GPO when
>>> first created. This does lead to a question, AD GPOs are stored on
>>> disk in sysvol and also in AD, so why does Samba require yet another
>>> copy in a cache ?
>>> If I change the output of 'gpo_version' from gpclass.py to return an
>>> integer, samba-gpupdate no longer crashes, it still doesn't work,
>>> but it no longer crashes.
>>> Rowland
>> Hi Rowland,
>> I would like to have Andrew's comments about this (and if possible,
>> also from David Mulder). Obviously, it does not work.
> Hi Peter,
> I think we need to hear from David, he has done some amazing work on
> Samba and GPOs, including creating the document I linked to. That
> document seems to indicate that modifying the default Domain
> Controllers Policy did, at sometime, work, as You and I know, it
> doesn't now.
>> I don't get any errors at all, no crashes, nothing in the journal,
>> nor in the Samba logs (Debian Bookworm 12.1, Samba 4.18.6 from
>> bookworm-backports).
> If I try to alter the default Domain Controllers policy via GPME,
> whilst GPME shows and retains the changes, nothing changes in AD.
> There are changes in sysvol, but these changes seem to require that
> sysvolreset is run. If I then run samba-gpupdate, I get this:
> Traceback (most recent call last):
>    File "/usr/sbin/samba-gpupdate", line 133, in <module>
>      apply_gp(lp, creds, store, gp_extensions, username,
>    File "/usr/lib/python3/dist-packages/samba/gp/gpclass.py", line 481, in apply_gp
>      version = gpo_version(lp, path)
>    File "/usr/lib/python3/dist-packages/samba/gp/gpclass.py", line 431, in gpo_version
>      return int(gpo.gpo_get_sysvol_gpt_version(gpt_path)[1])
> samba.NTSTATUSError: (3221225700, 'This error indicates that the requested operation cannot be completed due to a catastrophic media failure or an on-disk data structure corruption.')
> I traced this (or so I believe) to the python program trying to read
> from an empty cache.
>> I'm not particularly at home in python programming, and have got
>> nothing to add here. But I love to tinker with things that do not
>> work. At the moment however, I'm quite time constrained, otherwise
>> I'd give it a shot...
> I know a little bit about python (not an expert by any means) but for
> reasons I will not go into here, I will not attempt to fix this.
> Rowland
Hi Rowland,

That's the same errors I get. Need to run sysvolreset after that. I hope 
that David reads this and chime in.

As the problem is not a complete brick wall, nobody knowledgeable will 
give it a very high priority. But, as I pointed out previously, it 
should be mentioned in the Wiki. It could save lots of people banging 
their heads in the said wall, when samba-tool could be used to solve the 
problem quickly and efficiently.

Best regards,


More information about the samba mailing list