samba - Dec 2015 - Confusion about account locking policy (Samba AD/Windows 7 client)

Hi,

here on the wiki
https://wiki.samba.org/index.php/FAQ#Is_it_possible_to_set_user_specific_password_policies_in_Samba4_.28e._g._on_a_OU-base.29.3F
I read this:


    "Is it possible to set user specific password policies in Samba4 (e.
    g. on a OU-base)?

Samba can't handle GPO restrictions. You have to use 'samba-tool domain 
passwordsettings' to change password policies. But this only applies on 
domain level."

So, I have set my account lockout policy on the Samba4 DC to '5' 
incorrect attempts. However, on a Windows 7 client it needs only 3 
invalid attempts to get the account locked out (tested on 3 different 
machines). And on domain join it seems only to need 1 invalid attempt.

What is the full story here?

Ole

I expect you already did that but in case of... did you rebooted your
Windows client to apply new Computer's GPO (or use gpupdate MS tool)?

2015-12-08 16:54 GMT+01:00 Ole Traupe <ole.traupe at tu-berlin.de>:
> Hi,
>
> here on the wiki
>
>
https://wiki.samba.org/index.php/FAQ#Is_it_possible_to_set_user_specific_password_policies_in_Samba4_.28e._g._on_a_OU-base.29.3F
> I read this:
>
>
>    "Is it possible to set user specific password policies in Samba4
(e.
>    g. on a OU-base)?
>
> Samba can't handle GPO restrictions. You have to use 'samba-tool
domain
> passwordsettings' to change password policies. But this only applies on
> domain level."
>
> So, I have set my account lockout policy on the Samba4 DC to '5'
incorrect
> attempts. However, on a Windows 7 client it needs only 3 invalid attempts
> to get the account locked out (tested on 3 different machines). And on
> domain join it seems only to need 1 invalid attempt.
>
> What is the full story here?
>
> Ole
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

As far as I understand Samba and the wiki in this regard, the Samba4 
DC's password policy is no typical domain policy (no GPO). It can't be 
inherited by Windows clients. So I suspect the full story to be:

- on the Unix side (DC and member server) the Samba password rules apply
- on the Windows client side the inherited Windows POLICIES apply (as 
far as possible)

In effect, if e.g. password lockout threshold is configured differently 
on Samba DC and Windows clients, the lower threshold of the two will 
determine the behavior of the domain (on Windows clients).

Does that sound reasonable?

Ole


Am 08.12.2015 um 17:06 schrieb mathias dufresne:
> I expect you already did that but in case of... did you rebooted your
> Windows client to apply new Computer's GPO (or use gpupdate MS tool)?
>
> 2015-12-08 16:54 GMT+01:00 Ole Traupe <ole.traupe at tu-berlin.de>:
>
>> Hi,
>>
>> here on the wiki
>>
>>
https://wiki.samba.org/index.php/FAQ#Is_it_possible_to_set_user_specific_password_policies_in_Samba4_.28e._g._on_a_OU-base.29.3F
>> I read this:
>>
>>
>>     "Is it possible to set user specific password policies in
Samba4 (e.
>>     g. on a OU-base)?
>>
>> Samba can't handle GPO restrictions. You have to use
'samba-tool domain
>> passwordsettings' to change password policies. But this only
applies on
>> domain level."
>>
>> So, I have set my account lockout policy on the Samba4 DC to
'5' incorrect
>> attempts. However, on a Windows 7 client it needs only 3 invalid
attempts
>> to get the account locked out (tested on 3 different machines). And on
>> domain join it seems only to need 1 invalid attempt.
>>
>> What is the full story here?
>>
>> Ole
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>

On Tue, 2015-12-08 at 16:54 +0100, Ole Traupe wrote:
> Hi,
> 
> here on the wiki
> https://wiki.samba.org/index.php/FAQ#Is_it_possible_to_set_user_speci
> fic_password_policies_in_Samba4_.28e._g._on_a_OU-base.29.3F
> I read this:
> 
> 
>     "Is it possible to set user specific password policies in Samba4
> (e.
>     g. on a OU-base)?
> 
> Samba can't handle GPO restrictions. You have to use 'samba-tool
> domain 
> passwordsettings' to change password policies. But this only applies
> on 
> domain level."
> 
> So, I have set my account lockout policy on the Samba4 DC to '5' 
> incorrect attempts. However, on a Windows 7 client it needs only 3 
> invalid attempts to get the account locked out (tested on 3 different
> machines). And on domain join it seems only to need 1 invalid
> attempt.
> 
> What is the full story here?
We don't know why we lock out faster than we expect to.  Some careful
code tracing to follow the updates to the bad password count (and even
better, a comparison with Windows) is needed.
Sorry,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

I can do some playing around:

a) I have set a GPO for lockout at '10' invalid attempts (the rest of 
the password options set as on Samba DC), forced the 'gpupdate', and 
left the Samba rules set to '5' (checked on both DCs). But still I get 
locked out after 3 invalid attempts.

b) I have set the Samba rules to '10' (or '15') invalid attempts
and get
locked out after 6 (or 8) now. So:

Setting '5': locked out after 3
Setting '10': locked out after 6
Setting '15': locked out after 8

Seems that Samba doubles the count and looses one.

No big deal, however, was just curious as I had locked out myself once 
too early.

Ole


Am 09.12.2015 um 07:32 schrieb Andrew Bartlett:
> On Tue, 2015-12-08 at 16:54 +0100, Ole Traupe wrote:
>> Hi,
>>
>> here on the wiki
>> https://wiki.samba.org/index.php/FAQ#Is_it_possible_to_set_user_speci
>> fic_password_policies_in_Samba4_.28e._g._on_a_OU-base.29.3F
>> I read this:
>>
>>
>>      "Is it possible to set user specific password policies in
Samba4
>> (e.
>>      g. on a OU-base)?
>>
>> Samba can't handle GPO restrictions. You have to use
'samba-tool
>> domain
>> passwordsettings' to change password policies. But this only
applies
>> on
>> domain level."
>>
>> So, I have set my account lockout policy on the Samba4 DC to
'5'
>> incorrect attempts. However, on a Windows 7 client it needs only 3
>> invalid attempts to get the account locked out (tested on 3 different
>> machines). And on domain join it seems only to need 1 invalid
>> attempt.
>>
>> What is the full story here?
> We don't know why we lock out faster than we expect to.  Some careful
> code tracing to follow the updates to the bad password count (and even
> better, a comparison with Windows) is needed.
> Sorry,
>
> Andrew Bartlett
>