Ole Traupe
2015-Dec-08 15:54 UTC
[Samba] Confusion about account locking policy (Samba AD/Windows 7 client)
Hi, here on the wiki https://wiki.samba.org/index.php/FAQ#Is_it_possible_to_set_user_specific_password_policies_in_Samba4_.28e._g._on_a_OU-base.29.3F I read this: "Is it possible to set user specific password policies in Samba4 (e. g. on a OU-base)? Samba can't handle GPO restrictions. You have to use 'samba-tool domain passwordsettings' to change password policies. But this only applies on domain level." So, I have set my account lockout policy on the Samba4 DC to '5' incorrect attempts. However, on a Windows 7 client it needs only 3 invalid attempts to get the account locked out (tested on 3 different machines). And on domain join it seems only to need 1 invalid attempt. What is the full story here? Ole
mathias dufresne
2015-Dec-08 16:06 UTC
[Samba] Confusion about account locking policy (Samba AD/Windows 7 client)
I expect you already did that but in case of... did you rebooted your Windows client to apply new Computer's GPO (or use gpupdate MS tool)? 2015-12-08 16:54 GMT+01:00 Ole Traupe <ole.traupe at tu-berlin.de>:> Hi, > > here on the wiki > > https://wiki.samba.org/index.php/FAQ#Is_it_possible_to_set_user_specific_password_policies_in_Samba4_.28e._g._on_a_OU-base.29.3F > I read this: > > > "Is it possible to set user specific password policies in Samba4 (e. > g. on a OU-base)? > > Samba can't handle GPO restrictions. You have to use 'samba-tool domain > passwordsettings' to change password policies. But this only applies on > domain level." > > So, I have set my account lockout policy on the Samba4 DC to '5' incorrect > attempts. However, on a Windows 7 client it needs only 3 invalid attempts > to get the account locked out (tested on 3 different machines). And on > domain join it seems only to need 1 invalid attempt. > > What is the full story here? > > Ole > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Ole Traupe
2015-Dec-08 16:29 UTC
[Samba] Confusion about account locking policy (Samba AD/Windows 7 client)
As far as I understand Samba and the wiki in this regard, the Samba4 DC's password policy is no typical domain policy (no GPO). It can't be inherited by Windows clients. So I suspect the full story to be: - on the Unix side (DC and member server) the Samba password rules apply - on the Windows client side the inherited Windows POLICIES apply (as far as possible) In effect, if e.g. password lockout threshold is configured differently on Samba DC and Windows clients, the lower threshold of the two will determine the behavior of the domain (on Windows clients). Does that sound reasonable? Ole Am 08.12.2015 um 17:06 schrieb mathias dufresne:> I expect you already did that but in case of... did you rebooted your > Windows client to apply new Computer's GPO (or use gpupdate MS tool)? > > 2015-12-08 16:54 GMT+01:00 Ole Traupe <ole.traupe at tu-berlin.de>: > >> Hi, >> >> here on the wiki >> >> https://wiki.samba.org/index.php/FAQ#Is_it_possible_to_set_user_specific_password_policies_in_Samba4_.28e._g._on_a_OU-base.29.3F >> I read this: >> >> >> "Is it possible to set user specific password policies in Samba4 (e. >> g. on a OU-base)? >> >> Samba can't handle GPO restrictions. You have to use 'samba-tool domain >> passwordsettings' to change password policies. But this only applies on >> domain level." >> >> So, I have set my account lockout policy on the Samba4 DC to '5' incorrect >> attempts. However, on a Windows 7 client it needs only 3 invalid attempts >> to get the account locked out (tested on 3 different machines). And on >> domain join it seems only to need 1 invalid attempt. >> >> What is the full story here? >> >> Ole >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >>
Andrew Bartlett
2015-Dec-09 06:32 UTC
[Samba] Confusion about account locking policy (Samba AD/Windows 7 client)
On Tue, 2015-12-08 at 16:54 +0100, Ole Traupe wrote:> Hi, > > here on the wiki > https://wiki.samba.org/index.php/FAQ#Is_it_possible_to_set_user_speci > fic_password_policies_in_Samba4_.28e._g._on_a_OU-base.29.3F > I read this: > > > "Is it possible to set user specific password policies in Samba4 > (e. > g. on a OU-base)? > > Samba can't handle GPO restrictions. You have to use 'samba-tool > domain > passwordsettings' to change password policies. But this only applies > on > domain level." > > So, I have set my account lockout policy on the Samba4 DC to '5' > incorrect attempts. However, on a Windows 7 client it needs only 3 > invalid attempts to get the account locked out (tested on 3 different > machines). And on domain join it seems only to need 1 invalid > attempt. > > What is the full story here?We don't know why we lock out faster than we expect to. Some careful code tracing to follow the updates to the bad password count (and even better, a comparison with Windows) is needed. Sorry, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Ole Traupe
2015-Dec-09 10:32 UTC
[Samba] Confusion about account locking policy (Samba AD/Windows 7 client)
I can do some playing around: a) I have set a GPO for lockout at '10' invalid attempts (the rest of the password options set as on Samba DC), forced the 'gpupdate', and left the Samba rules set to '5' (checked on both DCs). But still I get locked out after 3 invalid attempts. b) I have set the Samba rules to '10' (or '15') invalid attempts and get locked out after 6 (or 8) now. So: Setting '5': locked out after 3 Setting '10': locked out after 6 Setting '15': locked out after 8 Seems that Samba doubles the count and looses one. No big deal, however, was just curious as I had locked out myself once too early. Ole Am 09.12.2015 um 07:32 schrieb Andrew Bartlett:> On Tue, 2015-12-08 at 16:54 +0100, Ole Traupe wrote: >> Hi, >> >> here on the wiki >> https://wiki.samba.org/index.php/FAQ#Is_it_possible_to_set_user_speci >> fic_password_policies_in_Samba4_.28e._g._on_a_OU-base.29.3F >> I read this: >> >> >> "Is it possible to set user specific password policies in Samba4 >> (e. >> g. on a OU-base)? >> >> Samba can't handle GPO restrictions. You have to use 'samba-tool >> domain >> passwordsettings' to change password policies. But this only applies >> on >> domain level." >> >> So, I have set my account lockout policy on the Samba4 DC to '5' >> incorrect attempts. However, on a Windows 7 client it needs only 3 >> invalid attempts to get the account locked out (tested on 3 different >> machines). And on domain join it seems only to need 1 invalid >> attempt. >> >> What is the full story here? > We don't know why we lock out faster than we expect to. Some careful > code tracing to follow the updates to the bad password count (and even > better, a comparison with Windows) is needed. > Sorry, > > Andrew Bartlett >
Possibly Parallel Threads
- Confusion about account locking policy (Samba AD/Windows 7 client)
- Confusion about account locking policy (Samba AD/Windows 7 client)
- Confusion about account locking policy (Samba AD/Windows 7 client)
- Confusion about account locking policy (Samba AD/Windows 7 client)
- Confusion about account locking policy (Samba AD/Windows 7 client)