Mandi! Rowland Penny via samba In chel di` si favelave...> The password settings are related to the DC and by default you cannot > set or change a password if it isn't complex enoughOk.>, you do not need to use an external script.Ahem, someone out there need it. ;-) This mean that, if i keep a 'check password script', i could also hit some trubles on, eg, workstation join or the renew of the machine password?> Problem with using GPOs for password complexity, GPOs do not apply to > Samba DCs.Ok, i mean that: i can setup password policies on GPOs, but the DCs cannot ''enforce'' it. So, trying to summarize: a) 'check password script' are called for every password change, also the ''system'' one (join, ...); this can be a potential source of trouble. b) password policies defined with 'samba-tool domain passwordsettings set' are ''per DCs'', they not get ''replicated''. c) if you need to enforce password policies in a domain, you have to set password policies for every DCs. Right? Thanks. PS: and domain members? How they enforce passwords policies? Directly on AD DC, i suppose... but i'll ask. ;-) -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
On Tue, 24 Oct 2017 18:07:23 +0200 Marco Gaiarin via samba <samba at lists.samba.org> wrote:> Mandi! Rowland Penny via samba > In chel di` si favelave... > > > The password settings are related to the DC and by default you > > cannot set or change a password if it isn't complex enough > > Ok. > > > >, you do not need to use an external script. > > Ahem, someone out there need it. ;-)Why ? if you use the default settings, then you cannot set a simple password, or am I missing something here. Just what complexity do you require ?> > This mean that, if i keep a 'check password script', i could also hit > some trubles on, eg, workstation join or the renew of the machine > password?Possibly, I just rely on the default settings on the DC and don't have a problem, but you may have problems with workstation passwords, I just don't know.> > > > Problem with using GPOs for password complexity, GPOs do not apply > > to Samba DCs. > > Ok, i mean that: i can setup password policies on GPOs, but the DCs > cannot ''enforce'' it.Yes, but they are enforced on windows clients.> > > So, trying to summarize: > > a) 'check password script' are called for every password change, also > the ''system'' one (join, ...); this can be a potential source of > trouble.Possibly> > b) password policies defined with 'samba-tool domain passwordsettings > set' are ''per DCs'', they not get ''replicated''.They are replicated.> > c) if you need to enforce password policies in a domain, you have to > set password policies for every DCs.You should only have to set them on one DC.> > > Right? Thanks. > > > PS: and domain members? How they enforce passwords policies? Directly > on AD DC, i suppose... but i'll ask. ;-)Seeing as the passwords are stored on the DC and you change them there, I will leave you to decide that ;-) Rowland
On Tue, 2017-10-24 at 18:07 +0200, Marco Gaiarin via samba wrote:> Mandi! Rowland Penny via samba > In chel di` si favelave... > > > The password settings are related to the DC and by default you cannot > > set or change a password if it isn't complex enough > > Ok. > > > > , you do not need to use an external script. > > Ahem, someone out there need it. ;-) > > This mean that, if i keep a 'check password script', i could also hit > some trubles on, eg, workstation join or the renew of the machine > password?No. /* Only non-trust accounts have restrictions (possibly this test is the * wrong way around, but we like to be restrictive if possible */ io->u.restrictions = !(io->u.userAccountControl & (UF_INTERDOMAIN_TRUST_ACCOUNT | UF_WORKSTATION_TRUST_ACCOUNT | UF_SERVER_TRUST_ACCOUNT)); Later: if (io->u.restrictions == 0) { /* FIXME: Is this right? */ return LDB_SUCCESS; } The script won't be run for machine accounts.> > Problem with using GPOs for password complexity, GPOs do not apply to > > Samba DCs. > > Ok, i mean that: i can setup password policies on GPOs, but the DCs > cannot ''enforce'' it.The settings don't apply from the GPO into the AD DC yet. I am reviewing patches to fix that however.> So, trying to summarize: > > a) 'check password script' are called for every password change, also > the ''system'' one (join, ...); this can be a potential source of > trouble.No, just for users. That could include 'service accounts' created by other software, but not actual machine accounts.> b) password policies defined with 'samba-tool domain passwordsettings > set' are ''per DCs'', they not get ''replicated''.No, they are replicated.> c) if you need to enforce password policies in a domain, you have to > set password policies for every DCs.No, the settings are in the replicated sam.ldb.> Right? Thanks. > > > PS: and domain members? How they enforce passwords policies? Directly > on AD DC, i suppose... but i'll ask. ;-)They don't ask the DC for the choice of local user passwords as far as I'm aware. There is an API to check if a password is OK (SAMR ValidatePassword), but I've not seen it called for that, but I've also not really been looking. Thanks for asking for clarification, I hope this puts you at ease. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Mandi! Andrew Bartlett via samba In chel di` si favelave...> Thanks for asking for clarification, I hope this puts you at ease.Sure! Thanks to you! Only a bit more:> > PS: and domain members? How they enforce passwords policies? Directly > > on AD DC, i suppose... but i'll ask. ;-)> They don't ask the DC for the choice of local user passwords as far as > I'm aware. There is an API to check if a password is OK (SAMR > ValidatePassword), but I've not seen it called for that, but I've also > not really been looking.No, i was not clear. I don't mean ''password quality'', but ''password age''. In NT/LDAP/smbldap-tools mode, i used to populate shadow account LDAP data, ''copying'' expiration date from Samba/Windows ones, so i've addedd NSS 'shadow' ldap context and the POSIX layer are aware of password expiration. I supposed now that password are checked against DC in a ''black/white'' way, eg if i try to authenticate i gat something like: a) good b) bad password c) password expired, please change d) account disabled Right? No one have tried to add 'shadow' context in winbind? I'm simply curious... ;-) Again, thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)