[Samba] Domain password policy with Samba AD DC
dmulder at samba.org
Wed Sep 6 13:50:20 UTC 2023
On 9/6/23 6:53 AM, Rowland Penny via samba wrote:
> Hello David, I thought you might be away on holiday, so didn't really
> push this after my initial testing.
> How does Windows do this, I doubt if it is using a Linux cache file.
> From my testing, GPME will alter the default domain policy, but Samba
> doesn't seem to write these changes to AD, it also doesn't update/create
> the cache file.
The cache file only gets updated if that GPO version number is updated
(which `samba-tool gpo manage` failed to do in some instances until
recently, again see https://bugzilla.samba.org/show_bug.cgi?id=15327).
> I am not an expert on GPOs (very far from one), but shouldn't the cache
> file only be created on a Unix domain member and is there a different
> GPO to set password properties on a Unix domain member ?
These password policies are only meant to be applied to Domain
Controllers (you apply the password policy to the DC, then the domain
members must abide by that policy because the DC is now enforcing it).
This policy never applies to a domain member unless it is a DC.
> What I am trying to say is, if you set the password attributes with
> GPME, shouldn't that GPO write to AD ?
The GPME modifies files on the SYSVOL. I'm not sure what you mean by
"shouldn't that GPO write to AD".
Labs Software Engineer, Samba
1221 S Valley Grove Way, Suite 500
Pleasant Grove, UT 84062
dmulder at suse.com
More information about the samba