Mandi! L.P.H. van Belle via samba In chel di` si favelave...> Did you run the command to disable the password check or complexabilty on all you DC's?Oh, never minded about that. Sure. Instead of commenting 'check password script' i can do: samba-tool domain passwordsettings set --complexity=off sure! Thanks! But, why you say «on all you DC's»? The password policies are related to the domain, not to the single DC? Or password policies are not ''replicated'' and have to be set on every DC?> That is needed.Only for the join, right? After that, i can re-enable complexity checks, right? Or a domain with multiple DC ought to have '--complexity=off' (and use GPOs for password policy)? Thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
On Tue, 24 Oct 2017 16:58:49 +0200 Marco Gaiarin via samba <samba at lists.samba.org> wrote:> Mandi! L.P.H. van Belle via samba > In chel di` si favelave... > > > Did you run the command to disable the password check or > > complexabilty on all you DC's? > > Oh, never minded about that. Sure. > Instead of commenting 'check password script' i can do: > > samba-tool domain passwordsettings set --complexity=off > > sure! Thanks! > > But, why you say «on all you DC's»? The password policies are related > to the domain, not to the single DC?The password settings are related to the DC and by default you cannot set or change a password if it isn't complex enough, you do not need to use an external script.> Or password policies are not ''replicated'' and have to be set on > every DC?> > > > That is needed. > > Only for the join, right? After that, i can re-enable complexity > checks, right? > Or a domain with multiple DC ought to have '--complexity=off' (and use > GPOs for password policy)?Problem with using GPOs for password complexity, GPOs do not apply to Samba DCs. Rowland
Mandi! Rowland Penny via samba In chel di` si favelave...> The password settings are related to the DC and by default you cannot > set or change a password if it isn't complex enoughOk.>, you do not need to use an external script.Ahem, someone out there need it. ;-) This mean that, if i keep a 'check password script', i could also hit some trubles on, eg, workstation join or the renew of the machine password?> Problem with using GPOs for password complexity, GPOs do not apply to > Samba DCs.Ok, i mean that: i can setup password policies on GPOs, but the DCs cannot ''enforce'' it. So, trying to summarize: a) 'check password script' are called for every password change, also the ''system'' one (join, ...); this can be a potential source of trouble. b) password policies defined with 'samba-tool domain passwordsettings set' are ''per DCs'', they not get ''replicated''. c) if you need to enforce password policies in a domain, you have to set password policies for every DCs. Right? Thanks. PS: and domain members? How they enforce passwords policies? Directly on AD DC, i suppose... but i'll ask. ;-) -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)