Ole Traupe
2015-Dec-08 16:29 UTC
[Samba] Confusion about account locking policy (Samba AD/Windows 7 client)
As far as I understand Samba and the wiki in this regard, the Samba4 DC's password policy is no typical domain policy (no GPO). It can't be inherited by Windows clients. So I suspect the full story to be: - on the Unix side (DC and member server) the Samba password rules apply - on the Windows client side the inherited Windows POLICIES apply (as far as possible) In effect, if e.g. password lockout threshold is configured differently on Samba DC and Windows clients, the lower threshold of the two will determine the behavior of the domain (on Windows clients). Does that sound reasonable? Ole Am 08.12.2015 um 17:06 schrieb mathias dufresne:> I expect you already did that but in case of... did you rebooted your > Windows client to apply new Computer's GPO (or use gpupdate MS tool)? > > 2015-12-08 16:54 GMT+01:00 Ole Traupe <ole.traupe at tu-berlin.de>: > >> Hi, >> >> here on the wiki >> >> https://wiki.samba.org/index.php/FAQ#Is_it_possible_to_set_user_specific_password_policies_in_Samba4_.28e._g._on_a_OU-base.29.3F >> I read this: >> >> >> "Is it possible to set user specific password policies in Samba4 (e. >> g. on a OU-base)? >> >> Samba can't handle GPO restrictions. You have to use 'samba-tool domain >> passwordsettings' to change password policies. But this only applies on >> domain level." >> >> So, I have set my account lockout policy on the Samba4 DC to '5' incorrect >> attempts. However, on a Windows 7 client it needs only 3 invalid attempts >> to get the account locked out (tested on 3 different machines). And on >> domain join it seems only to need 1 invalid attempt. >> >> What is the full story here? >> >> Ole >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >>
mathias dufresne
2015-Dec-08 16:45 UTC
[Samba] Confusion about account locking policy (Samba AD/Windows 7 client)
I just can't reply to your question as I have not this information. I don't know how Samba works, I've got feelings about how it works : ) And as my MS world knowledge is just worst, I can't rely on it to tell you how Windows generate its passwords policy. How I think it works is: you configure password policy using samba-tool samba modifies the default domain policy (not tested, even if it's easy enough) windows client get the new policy when gpupdate is launched or at boot time (because password policy is computer policy and this because there is nothing in Samba to manage that account by account) Just feelings... 2015-12-08 17:29 GMT+01:00 Ole Traupe <ole.traupe at tu-berlin.de>:> As far as I understand Samba and the wiki in this regard, the Samba4 DC's > password policy is no typical domain policy (no GPO). It can't be inherited > by Windows clients. So I suspect the full story to be: > > - on the Unix side (DC and member server) the Samba password rules apply > - on the Windows client side the inherited Windows POLICIES apply (as far > as possible) > > In effect, if e.g. password lockout threshold is configured differently on > Samba DC and Windows clients, the lower threshold of the two will determine > the behavior of the domain (on Windows clients). > > Does that sound reasonable? > > Ole > > > > Am 08.12.2015 um 17:06 schrieb mathias dufresne: > >> I expect you already did that but in case of... did you rebooted your >> Windows client to apply new Computer's GPO (or use gpupdate MS tool)? >> >> 2015-12-08 16:54 GMT+01:00 Ole Traupe <ole.traupe at tu-berlin.de>: >> >> Hi, >>> >>> here on the wiki >>> >>> >>> https://wiki.samba.org/index.php/FAQ#Is_it_possible_to_set_user_specific_password_policies_in_Samba4_.28e._g._on_a_OU-base.29.3F >>> I read this: >>> >>> >>> "Is it possible to set user specific password policies in Samba4 (e. >>> g. on a OU-base)? >>> >>> Samba can't handle GPO restrictions. You have to use 'samba-tool domain >>> passwordsettings' to change password policies. But this only applies on >>> domain level." >>> >>> So, I have set my account lockout policy on the Samba4 DC to '5' >>> incorrect >>> attempts. However, on a Windows 7 client it needs only 3 invalid attempts >>> to get the account locked out (tested on 3 different machines). And on >>> domain join it seems only to need 1 invalid attempt. >>> >>> What is the full story here? >>> >>> Ole >>> >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >>> > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Andrew Bartlett
2015-Dec-09 09:03 UTC
[Samba] Confusion about account locking policy (Samba AD/Windows 7 client)
On Tue, 2015-12-08 at 17:45 +0100, mathias dufresne wrote:> I just can't reply to your question as I have not this information. I > don't > know how Samba works, I've got feelings about how it works : ) > And as my MS world knowledge is just worst, I can't rely on it to > tell you > how Windows generate its passwords policy. > > How I think it works is: > you configure password policy using samba-tool > samba modifies the default domain policy (not tested, even if it's > easy > enough)No, Samba neither reads nor writes group policy files.> windows client get the new policy when gpupdate is launched or at > boot time > (because password policy is computer policy and this because there is > nothing in Samba to manage that account by account)No, the windows client doesn't know about domain controller policies, and wouldn't have the right to lock out accounts even if it did. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Apparently Analagous Threads
- Confusion about account locking policy (Samba AD/Windows 7 client)
- Confusion about account locking policy (Samba AD/Windows 7 client)
- Confusion about account locking policy (Samba AD/Windows 7 client)
- Confusion about account locking policy (Samba AD/Windows 7 client)
- Confusion about account locking policy (Samba AD/Windows 7 client)