[Samba] Domain password policy with Samba AD DC

David Mulder dmulder at samba.org
Wed Sep 6 13:50:20 UTC 2023

On 9/6/23 6:53 AM, Rowland Penny via samba wrote:
> Hello David, I thought you might be away on holiday, so didn't really
> push this after my initial testing.
> How does Windows do this, I doubt if it is using a Linux cache file.
>  From my testing, GPME will alter the default domain policy, but Samba
> doesn't seem to write these changes to AD, it also doesn't update/create
> the cache file.
The cache file only gets updated if that GPO version number is updated 
(which `samba-tool gpo manage` failed to do in some instances until 
recently, again see https://bugzilla.samba.org/show_bug.cgi?id=15327).
> I am not an expert on GPOs (very far from one), but shouldn't the cache
> file only be created on a Unix domain member and is there a different
> GPO to set password properties on a Unix domain member ?
These password policies are only meant to be applied to Domain 
Controllers (you apply the password policy to the DC, then the domain 
members must abide by that policy because the DC is now enforcing it). 
This policy never applies to a domain member unless it is a DC.
> What I am trying to say is, if you set the password attributes with
> GPME, shouldn't that GPO write to AD ?
The GPME modifies files on the SYSVOL. I'm not sure what you mean by 
"shouldn't that GPO write to AD".

David Mulder
Labs Software Engineer, Samba
1221 S Valley Grove Way, Suite 500
Pleasant Grove, UT 84062
(P)+1 385.208.2989
dmulder at suse.com

More information about the samba mailing list