[Samba] Domain password policy with Samba AD DC

Rowland Penny rpenny at samba.org
Wed Sep 6 12:53:22 UTC 2023

On Wed, 6 Sep 2023 06:22:00 -0600
David Mulder via samba <samba at lists.samba.org> wrote:

> On 8/30/23 8:21 AM, Rowland Penny via samba wrote:
> >
> > If I change the output of 'gpo_version' from gpclass.py to return an
> > integer, samba-gpupdate no longer crashes, it still doesn't work,
> > but it no longer crashes.
> It occurs to me there was actually a bug in the `samba-tool gpo
> manage security set` command that failed to initialize the gpo
> version. This was bug
> https://bugzilla.samba.org/show_bug.cgi?id=15327 which was fixed in
> March. Perhaps this is at least the initial issue we're encountering?
> Although, using the GPME to set these policies would have avoided
> that problem.
> Something to keep in mind, it's good practice to use the latest
> stable version of samba-tool (perhaps from a different machine) to
> modify the SYSVOL using the `samba-tool gpo manage` command, not
> necessarily the stable version released by your distro.

Hello David, I thought you might be away on holiday, so didn't really
push this after my initial testing.

How does Windows do this, I doubt if it is using a Linux cache file.
From my testing, GPME will alter the default domain policy, but Samba
doesn't seem to write these changes to AD, it also doesn't update/create
the cache file.

I am not an expert on GPOs (very far from one), but shouldn't the cache
file only be created on a Unix domain member and is there a different
GPO to set password properties on a Unix domain member ?

What I am trying to say is, if you set the password attributes with
GPME, shouldn't that GPO write to AD ?


More information about the samba mailing list