[Samba] Domain password policy with Samba AD DC

Rowland Penny rpenny at samba.org
Wed Aug 30 18:32:56 UTC 2023 

On Wed, 30 Aug 2023 19:47:16 +0200
Peter Milesson via samba <samba at lists.samba.org> wrote:

> 
> 
> On 30.08.2023 19:17, Rowland Penny via samba wrote:
> > On Wed, 30 Aug 2023 18:56:48 +0200
> > Peter Milesson via samba <samba at lists.samba.org> wrote:
> >
> >>
> >> On 30.08.2023 16:21, Rowland Penny via samba wrote:
> >>> On Wed, 30 Aug 2023 12:40:08 +0200
> >>> Peter Milesson via samba <samba at lists.samba.org> wrote:
> >>>
> >>>> On 30.08.2023 11:58, Rowland Penny via samba wrote:
> >>>>> On Wed, 30 Aug 2023 09:49:05 +0200
> >>>>> Peter Milesson via samba <samba at lists.samba.org> wrote:
> >>>>>
> >>>>>> On 29.08.2023 21:38, Andrew Bartlett via samba wrote:
> >>>>>>> On Tue, 2023-08-29 at 12:58 +0200, Peter Milesson via samba
> >>>>>>> wrote:
> >>>>>>>> On 27.08.2023 23:45, Andrew Bartlett wrote:
> >>>>>>>>> On Sat, 2023-08-26 at 11:49 +0200, Peter Milesson via samba
> >>>>>>>>> wrote:
> >>>>>>>>>> Hi folks,
> >>>>>>>>>> I just wonder why it is not possible to set domain password
> >>>>>>>>>> policieswith GPO, using the Windows RSAT Group Policy
> >>>>>>>>>> Manager? For mostothersettings, using GPOs through RSAT
> >>>>>>>>>> works. For somebody who sets up a Samba AD DC infrequently,
> >>>>>>>>>> this is a hugetrap. There should be a very visible warning
> >>>>>>>>>> on the AD DC setup wikipage, that you *must* setup password
> >>>>>>>>>> policies with samba-tool, ifyouplan to change the default
> >>>>>>>>>> password policies (which I assume mostwilldo). It should
> >>>>>>>>>> also be very clearly noted that it is not possible todothis
> >>>>>>>>>> with RSAT (as lots of people will try that anyway).
> >>>>>>>>>> Thiswarningshould also be displayed on the Group Policy
> >>>>>>>>>> wiki page. If there areother GPO policies that can not be
> >>>>>>>>>> set with RSAT, those should alsobelisted.
> >>>>>>>>> Thanks Peter for reaching out on this,
> >>>>>>>>> So, the challenge is that in the past, Samba didn't know how
> >>>>>>>>> to readthese, and the settings were just ignored.
> >>>>>>>>> Now it can, but given there are now existing domains, which
> >>>>>>>>> settingshould be primary, the one in the DB or the one in
> >>>>>>>>> the GPO? That is why the smb.conf setting "apply group
> >>>>>>>>> policies" needs to be setto Yes if the GPO approach is to
> >>>>>>>>> be taken. Feel free to ask for a wiki account to point out
> >>>>>>>>> this if you feel itwould be helpful.
> >>>>>>>>> Andrew Bartlett
> >>>>>>>>>
> >>>>>>>> Hi folks,
> >>>>>>>> I've tried to get password policies setting using the Windows
> >>>>>>>> GPMC from RSAT working. Unfortunately, no change. It just
> >>>>>>>> does not work. Here is the smb.conf for the AD DC:
> >>>>>>>> # Global parameters[global]         dns forwarder =
> >>>>>>>> 78.110.208.34 netbios name = TESTADC1         realm =
> >>>>>>>> TESTDOM.TALPS server role = active directory domain
> >>>>>>>> controller workgroup = TESTDOM         idmap_ldb:use rfc2307
> >>>>>>>> = yes apply group policies = yes
> >>>>>>>> [sysvol]         path = /var/lib/samba/sysvol         read
> >>>>>>>> only = No [netlogon]         path
> >>>>>>>> = /var/lib/samba/sysvol/testdom.talps/scripts read only = No
> >>>>>>>> The only way to set password policies for the domain, still
> >>>>>>>> seems to be through samba-tool domain passwordsettings and
> >>>>>>>> the parameter "apply group policies" has got no effect at
> >>>>>>>> all. If I create a gpresult.html file on a Windows member
> >>>>>>>> PC, it shows the settings I have set with the Windows Group
> >>>>>>>> Policy Management Editor (GPME), but when setting a password
> >>>>>>>> for a user in Active Directory Users and Computers, the
> >>>>>>>> settings are not honored. In GPME there is also the folder
> >>>>>>>> Samba\smb.conf, where the different password policy
> >>>>>>>> parameters can be set. No effect at all. In practice, this
> >>>>>>>> is not a big deal. You probably set the domain password
> >>>>>>>> policies once, and forget about it. I'm not going to waste
> >>>>>>>> more time on this. Just use samba-tool domain
> >>>>>>>> passwordsettings for setting password policies, and forget
> >>>>>>>> about GPMC.
> >>>>>>> I would also note that the even better password polices - fine
> >>>>>>> grained password policies - (password setting objects) were
> >>>>>>> never available via GPMC and were always directly set to the
> >>>>>>> directory. We have good tooling for that in samba-tool, plus
> >>>>>>> whatever windows uses would edit the same LDAP attributes.
> >>>>>>> Andrew Bartlett
> >>>>>>>
> >>>>>> Hi Andrew,
> >>>>>>
> >>>>>> Thanks for the information. In my setting, standard password
> >>>>>> policies are sufficient.
> >>>>>>
> >>>>>> Is it possible to set password policies at all using GPMC from
> >>>>>> RSAT? I did not succeed, as I wrote. It's not an important
> >>>>>> issue, however it would have been nice to be able to use one
> >>>>>> tool for everything. In a small setting like mine (about 40
> >>>>>> users), I just set it once with samba-tool, and that's it. I
> >>>>>> would be very surprised if the need ever arises to change
> >>>>>> something there. I would sooner expect that there will be
> >>>>>> requirements for other types of authentication that are more
> >>>>>> secure in the not so far future.
> >>>>>>
> >>>>>> Best regards,
> >>>>>>
> >>>>>> Peter
> >>>>>>
> >>>>>>
> >>>>> This got my interest, so I did a little testing from a win10 VM
> >>>>> and (for myself) GPME works up to a point.
> >>>>>
> >>>>> I followed David Mulder's instructions, though there were a few
> >>>>> errors, I could easily set things in the GPME, but they didn't
> >>>>> seem to affect AD. I turned of password complexity and set min
> >>>>> password length to 8, this was not reflected in AD.
> >>>>> I then wondered if it was altering sysvol, so I checked and:
> >>>>>
> >>>>> sudo
> >>>>> cat /var/lib/samba/sysvol/samdom.example.com/Policies/'{31B2F340-016D-11D2-945F-00C04FB984F9}'/MACHINE/Microsoft/'Windows
> >>>>> NT'/SecEdit/GptTmpl.inf ��[Unicode] Unicode=yes
> >>>>> [Version]
> >>>>> signature="$CHICAGO$"
> >>>>> Revision=1
> >>>>> [System Access]
> >>>>> MinimumPasswordLength = 8
> >>>>> PasswordComplexity = 0
> >>>>> [Registry Values]
> >>>>>
> >>>>> And when I turned password complexity back on through GPME:
> >>>>>
> >>>>> ��[Unicode]
> >>>>> Unicode=yes
> >>>>> [Version]
> >>>>> signature="$CHICAGO$"
> >>>>> Revision=1
> >>>>> [System Access]
> >>>>> MinimumPasswordLength = 8
> >>>>> PasswordComplexity = 1
> >>>>> [Registry Values]
> >>>>>
> >>>>> So it looks like it is halfway there, it is creating the GPO in
> >>>>> sysvol. I ran samba-gpupdate, but it either does nothing or
> >>>>> crashes.
> >>>>>
> >>>>> Rowland
> >>>>>
> >>>> Hi Rowland,
> >>>>
> >>>> I set the parameter "apply group policies = yes" in smb.conf as
> >>>> Andrew suggested (I even tried in GPME/Administrative
> >>>> templats/Samba/smb.conf). Then I set password policies through
> >>>> GPME. Every time I do something in GPMC/GPME, it seems that the
> >>>> permissions under sysvol become disturbed (using samba-tool ntacl
> >>>> sysvolcheck), but was fixed by a sysvolreset (this is another
> >>>> matter). Subsequently, I checked up the entries in GPME, and they
> >>>> were exactly as I had set them with GPME. Running a GPRESULT in
> >>>> Windows showed that policies set with GPME were applied. Running
> >>>> "samba-tool domain passwordsettings show", does not reflect
> >>>> anything set with GPME.gpo_version Testing by adding a new user
> >>>> to AD, confirms that the samba-tool settings are those that get
> >>>> applied, not what I set with GPME. A bit weird.
> >>>>
> >>>> Presently, the problem is more of an academic nature. I can live
> >>>> with that, as it's more like set and forget. I may have forgot
> >>>> something essential, but I don't think so. I guess this needs a
> >>>> bit more work in the code. Nothing high priority, I guess, as
> >>>> it's not a show stopper. But it should be duly noted in the Wiki.
> >>>>
> >>>> Best regards,
> >>>>
> >>>> Peter
> >>> The problem is, from my point of view, David Mulder created a
> >>> document about Samba and GPOs, part of which seems to suggest
> >>> that, at some time, setting password attributes with GPME worked,
> >>> well, I cannot get to work now.
> >>>
> >>> After reading the code for gpclass.py, it looks like the python
> >>> code looks for 'version' in a cache file, this cache file is
> >>> empty, probably because the domain controllers GPO is an empty
> >>> GPO when first created. This does lead to a question, AD GPOs are
> >>> stored on disk in sysvol and also in AD, so why does Samba
> >>> require yet another copy in a cache ?
> >>>
> >>> If I change the output of 'gpo_version' from gpclass.py to return
> >>> an integer, samba-gpupdate no longer crashes, it still doesn't
> >>> work, but it no longer crashes.
> >>>
> >>> Rowland
> >>>      
> >>>
> >>>
> >> Hi Rowland,
> >>
> >> I would like to have Andrew's comments about this (and if possible,
> >> also from David Mulder). Obviously, it does not work.
> > Hi Peter,
> > I think we need to hear from David, he has done some amazing work on
> > Samba and GPOs, including creating the document I linked to. That
> > document seems to indicate that modifying the default Domain
> > Controllers Policy did, at sometime, work, as You and I know, it
> > doesn't now.
> >
> >> I don't get any errors at all, no crashes, nothing in the journal,
> >> nor in the Samba logs (Debian Bookworm 12.1, Samba 4.18.6 from
> >> bookworm-backports).
> > If I try to alter the default Domain Controllers policy via GPME,
> > whilst GPME shows and retains the changes, nothing changes in AD.
> > There are changes in sysvol, but these changes seem to require that
> > sysvolreset is run. If I then run samba-gpupdate, I get this:
> >
> > Traceback (most recent call last):
> >    File "/usr/sbin/samba-gpupdate", line 133, in <module>
> >      apply_gp(lp, creds, store, gp_extensions, username,
> >    File "/usr/lib/python3/dist-packages/samba/gp/gpclass.py", line
> > 481, in apply_gp version = gpo_version(lp, path)
> >    File "/usr/lib/python3/dist-packages/samba/gp/gpclass.py", line
> > 431, in gpo_version return
> > int(gpo.gpo_get_sysvol_gpt_version(gpt_path)[1])
> > samba.NTSTATUSError: (3221225700, 'This error indicates that the
> > requested operation cannot be completed due to a catastrophic media
> > failure or an on-disk data structure corruption.')
> >
> > I traced this (or so I believe) to the python program trying to read
> > from an empty cache.
> >
> >> I'm not particularly at home in python programming, and have got
> >> nothing to add here. But I love to tinker with things that do not
> >> work. At the moment however, I'm quite time constrained, otherwise
> >> I'd give it a shot...
> > I know a little bit about python (not an expert by any means) but
> > for reasons I will not go into here, I will not attempt to fix this.
> >
> > Rowland
> >
> >
> Hi Rowland,
> 
> That's the same errors I get. Need to run sysvolreset after that. I
> hope that David reads this and chime in.

As do I.

> 
> As the problem is not a complete brick wall, nobody knowledgeable
> will give it a very high priority. But, as I pointed out previously,
> it should be mentioned in the Wiki. It could save lots of people
> banging their heads in the said wall, when samba-tool could be used
> to solve the problem quickly and efficiently.

I would update the wiki, but I need to know with just what, did it work
at one time, in which case it is a regression bug, or has it never
worked, despite what David put in his documentation ?

Rowland

More information about the samba mailing list