[Samba] Domain password policy with Samba AD DC
miles at atmos.eu
Wed Sep 6 16:19:13 UTC 2023
On 06.09.2023 13:51, David Mulder via samba wrote:
> On 8/28/23 1:45 AM, Peter Milesson via samba wrote:
>> Many thanks for the information. I guess, which of the methods for
>> setting password policies depends on local conditions, and admin
>> preferences and experience. In a mainly Windows oriented domain,
>> setting things through the GPMC would be the preferred way, and in a
>> mixed, or Linux oriented domain, with samba-tool.
> The samba-tool command for setting password policies is simply setting
> the same value that the GPME does. So it doesn't matter at all which
> you use for this. You need to make sure you set the password policy on
> the `Default Domain Controller Policy`. Then you need to enable group
> policy on the *domain controller*, via the "apply group policies"
> setting, as mentioned previously.
>> What I pointed out in my original post was, the absence of
>> information about GPO handling in the Samba wiki, when setting up a
>> new AD DC. IMHO this information is absolutely essential for
>> successful domain operations with Windows. Even in a fairly small
>> domain with a Samba AD DC, a server (Samba or Windows), and a few
>> workstations, operations will be quite impaired without applying at
>> least a few essential GPOs. In my particular case, folder
>> redirection, and a few other things. I couldn't imagine setting up
>> the domain without GPOs, and it would end up in a horrible mess.
> Sounds like a documentation issue. We should add these details to the
> wiki page you were following.
>> So, just a few lines and a link to the GPO wiki page in the
>> instructions for setting up a Samba AD DC, will be sufficient. In the
>> GPO wiki page, your information about the "apply group policies"
>> should not be missing, as well as a link to David Mulder's GPO
>> "bible" (https://dmulder.github.io/group-policy-book/sec.html), which
>> Rowland kindly pointed out.
I just tested according to your instruction.
Logging in as Administrator at testdom.talps and setting password policies
with GPME on Default Domain Controller Policies (specifically minimum
password length = 5). Then through a cmd prompt with raised privileges
gpupdate /force. Log out. Restart Samba AD DC. Running a sysvolcheck
with no errors.
Does still not work. It's still the settings made with samba-tool domain
passwordsettings (minimum password length = 4) that decides the password
I have also tried setting password policies on Default Domain Policies.
What I get from samba-tool domain passwordpolicies show is:
Password information for domain 'DC=testdom,DC=talps'
Password complexity: on
Store plaintext passwords: off
Password history length: 0
Minimum password length: 4
Minimum password age (days): 0
Maximum password age (days): 0
Account lockout duration (mins): 30
Account lockout threshold (attempts): 0
Reset account lockout after (mins): 30
# Global parameters
dns forwarder = xxx.xxx.xxx.xxx
netbios name = TESTADC1
realm = TESTDOM.TALPS
server role = active directory domain controller
workgroup = TESTDOM
idmap_ldb:use rfc2307 = yes
apply group policies = yes
path = /var/lib/samba/sysvol
read only = No
path = /var/lib/samba/sysvol/testdom.talps/scripts
read only = No
As I previously stated, it's just a nuisance, you probably set password
policies once, or very seldom. It would be nice if it worked as in a
Windows AD DC.
More information about the samba