Mark Fox
2013-Aug-09 20:42 UTC
[Samba] Removing password complexity requirements under Samba4
We had problems removing password complexity, and I noticed a lot of confusion on the list about exactly this topic. So I thought I would post our success. We're talking about a Samba4 PDC/AD here. Once we got Samba installed and provisioned, we used samba-tool from the command-line on the Samba box to change the domain password settings: sudo samba-tool domain passwordsettings set --complexity=off sudo samba-tool domain passwordsettings set --history-length=0 sudo samba-tool domain passwordsettings set --min-pwd-age=0 sudo samba-tool domain passwordsettings set --max-pwd-age=0 Restarted Samba, did a gpupdate /force on the workstation, and it worked. No need to set up a GPO (although that would sometimes be preferable). We tried the samba-tool method initially, as well as a GPO, and were baffled when neither worked. I think we had our minumum password age at the default value (1 day) and were trying to reset the password the same day we created the accounts. In any case, we're able to change passwords with reckless abandon in our test environment at the moment. Mark
Gregory Sloop
2013-Aug-09 21:04 UTC
[Samba] Removing password complexity requirements under Samba4
MF> We had problems removing password complexity, and I noticed a lot of MF> confusion on the list about exactly this topic. So I thought I would post MF> our success. MF> We're talking about a Samba4 PDC/AD here. Once we got Samba installed and MF> provisioned, we used samba-tool from the command-line on the Samba box to MF> change the domain password settings: MF> sudo samba-tool domain passwordsettings set --complexity=off MF> sudo samba-tool domain passwordsettings set --history-length=0 MF> sudo samba-tool domain passwordsettings set --min-pwd-age=0 MF> sudo samba-tool domain passwordsettings set --max-pwd-age=0 MF> Restarted Samba, did a gpupdate /force on the workstation, and it worked. MF> No need to set up a GPO (although that would sometimes be preferable). MF> We tried the samba-tool method initially, as well as a GPO, and were MF> baffled when neither worked. I think we had our minumum password age at the MF> default value (1 day) and were trying to reset the password the same day we MF> created the accounts. MF> In any case, we're able to change passwords with reckless abandon in our MF> test environment at the moment. MF> Mark FYI Only: One note, for the record. When you're doing the initial provision, and are supplying the root/admin password for the domain, there is NOT a way to reduce the complexity requirements for that operation. [Not that you'd *want* your master domain admin password to be something ridiculously lousy like "abc" or anything.] But someone has asked about getting 'round it before. If it really bothers someone, you can always meet the complexity requirement during provision, then use the samba-tool as above, and change it to "xyz" if that's what turns your crank. :) -Greg