samba - Oct 2017 - 'check password script' and Join...

Make a note: it is better to disable 'check password script' in the
DC(s) before trying to join a new DC. ;(

root at vdcpp1:~# samba-tool domain join ad.my.dom DC
-U"MYDOM\administrator" --dns-backend=BIND9_DLZ
Finding a writeable DC for domain 'ad.my.dom'
Found DC vdcsv1.ad.my.dom
Password for [MYDOM\administrator]:
workgroup is MYDOM
realm is ad.my.dom
Adding CN=VDCPP1,OU=Domain Controllers,DC=ad,DC=my,DC=dom
Adding
CN=VDCPP1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=my,DC=dom
Adding CN=NTDS
Settings,CN=VDCPP1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=my,DC=dom
Adding SPNs to CN=VDCPP1,OU=Domain Controllers,DC=ad,DC=my,DC=dom
Setting account password for VDCPP1$
Enabling account
Adding DNS account CN=dns-VDCPP1,CN=Users,DC=ad,DC=my,DC=dom with dns/ SPN
Setting account password for dns-VDCPP1
Join failed - cleaning up
Deleted CN=VDCPP1,OU=Domain Controllers,DC=ad,DC=my,DC=dom
Deleted CN=dns-VDCPP1,CN=Users,DC=ad,DC=my,DC=dom
Deleted CN=NTDS
Settings,CN=VDCPP1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=my,DC=dom
Deleted
CN=VDCPP1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=my,DC=dom
ERROR(ldb): uncaught exception - LDAP error 19 LDAP_CONSTRAINT_VIOLATION - 
<0000052D: Constraint violation - check_password_restrictions: the password
does not meet the complexity criteria!> <>
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line
652, in run
    machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1253, in
join_DC
    ctx.do_join()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1151, in
do_join
    ctx.join_add_objects()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 725, in
join_add_objects
    username=ctx.samname)
  File "/usr/lib/python2.7/dist-packages/samba/samdb.py", line 514, in
setpassword
    self.modify_ldif(setpw)
  File "/usr/lib/python2.7/dist-packages/samba/__init__.py", line 236,
in modify_ldif
    self.modify(msg, controls)

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

Did you run the command  to disable the password check or complexabilty on all
you DC's?
That is needed. 

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Marco Gaiarin via samba
> Verzonden: dinsdag 24 oktober 2017 15:33
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] 'check password script' and Join...
> 
> 
> Make a note: it is better to disable 'check password script' in the
> DC(s) before trying to join a new DC. ;(
> 
> root at vdcpp1:~# samba-tool domain join ad.my.dom DC 
> -U"MYDOM\administrator" --dns-backend=BIND9_DLZ
> Finding a writeable DC for domain 'ad.my.dom'
> Found DC vdcsv1.ad.my.dom
> Password for [MYDOM\administrator]:
> workgroup is MYDOM
> realm is ad.my.dom
> Adding CN=VDCPP1,OU=Domain Controllers,DC=ad,DC=my,DC=dom
> Adding 
> CN=VDCPP1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Co
> nfiguration,DC=ad,DC=my,DC=dom
> Adding CN=NTDS 
> Settings,CN=VDCPP1,CN=Servers,CN=Default-First-Site-Name,CN=Si
> tes,CN=Configuration,DC=ad,DC=my,DC=dom
> Adding SPNs to CN=VDCPP1,OU=Domain Controllers,DC=ad,DC=my,DC=dom
> Setting account password for VDCPP1$
> Enabling account
> Adding DNS account CN=dns-VDCPP1,CN=Users,DC=ad,DC=my,DC=dom 
> with dns/ SPN
> Setting account password for dns-VDCPP1
> Join failed - cleaning up
> Deleted CN=VDCPP1,OU=Domain Controllers,DC=ad,DC=my,DC=dom
> Deleted CN=dns-VDCPP1,CN=Users,DC=ad,DC=my,DC=dom
> Deleted CN=NTDS 
> Settings,CN=VDCPP1,CN=Servers,CN=Default-First-Site-Name,CN=Si
> tes,CN=Configuration,DC=ad,DC=my,DC=dom
> Deleted 
> CN=VDCPP1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Co
> nfiguration,DC=ad,DC=my,DC=dom
> ERROR(ldb): uncaught exception - LDAP error 19 
> LDAP_CONSTRAINT_VIOLATION -  <0000052D: Constraint violation 
> - check_password_restrictions: the password does not meet the 
> complexity criteria!> <>
>   File 
> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", 
> line 176, in _run
>     return self.run(*args, **kwargs)
>   File 
> "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", 
> line 652, in run
>     machinepass=machinepass, use_ntvfs=use_ntvfs, 
> dns_backend=dns_backend)
>   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 
> 1253, in join_DC
>     ctx.do_join()
>   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 
> 1151, in do_join
>     ctx.join_add_objects()
>   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 
> 725, in join_add_objects
>     username=ctx.samname)
>   File "/usr/lib/python2.7/dist-packages/samba/samdb.py", 
> line 514, in setpassword
>     self.modify_ldif(setpw)
>   File "/usr/lib/python2.7/dist-packages/samba/__init__.py", 
> line 236, in modify_ldif
>     self.modify(msg, controls)
> 
> -- 
> dott. Marco Gaiarin				        GNUPG 
> Key ID: 240A3D66
>   Associazione ``La Nostra Famiglia''          
> http://www.lanostrafamiglia.it/
>   Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al 
> Tagliamento (PN)
>   marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   
> f +39-0434-842797
> 
> 		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
>       http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
> 	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On Tue, 24 Oct 2017 15:56:39 +0200
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> Did you run the command  to disable the password check or
> complexabilty on all you DC's? That is needed. 
> 
Or to put it another way, you don't need 'check password script'
with
AD ;-)

Rowland

Mandi! L.P.H. van Belle via samba
  In chel di` si favelave...
> Did you run the command  to disable the password check or complexabilty on
all you DC's?
Oh, never minded about that. Sure.
Instead of commenting 'check password script' i can do:

	samba-tool domain passwordsettings set --complexity=off

sure! Thanks!

But, why you say «on all you DC's»? The password policies are related
to the domain, not to the single DC?
Or password policies are not ''replicated'' and have to be set
on every
DC?

> That is needed. 
Only for the join, right? After that, i can re-enable complexity
checks, right?
Or a domain with multiple DC ought to have '--complexity=off' (and use
GPOs for password policy)?


Thanks.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)