Hi, We are running Samba-AD and all things are working absolutely fine. However, two very specific issues observed one related to Windows Clients (Members) automatically synchronizing the time with PDC emulator and second password policies are not getting enforced. /*Time Synchronization:*/ Normally, in totally Windows environment, when adding a windows PC (Or server) to a domain as a member it automatically synchronizes its time with PDC emulator. However in case of Samba-AD, we have to manually synchronize the time with PDC emulator before making the Windows PC (Or server) a member of domain. If the time difference between the Samba-AD and Windows Client is more than 300 Seconds, the client, instead of synchronizing the time with Samba-AD's PDC emulator, it throws the error and stops. This behavior is observed with Windows XP, Windows 7, Windows 8 / 8.1, Windows 10 and all Windows Server editions. Any specific setting we have to enable on the Samba-AD to automatically synchronize the time while adding domain members? /*Password Policies*/ Password policies are not getting enforced on the clients. Initially we thought that we have to set those policies using "samba-tool user passwordsettings" and not on Windows GPO. As this was not enforcing the password policies, we set the GPO with the same settings. Yet the same result. Password Policies are not getting applied. We have three domain controllers in out environment. Any guidance to set these right? -- Thanks & Regards, Anantha Raghava Do not print this e-mail unless required. Save Paper & trees.
Hi, On 21-11-2017 4:40, Anantha Raghava via samba wrote:> > /*Password Policies*/ > > Password policies are not getting enforced on the clients. Initially we > thought that we have to set those policies using "samba-tool user > passwordsettings" and not on Windows GPO. As this was not enforcing the > password policies, we set the GPO with the same settings. Yet the same > result. Password Policies are not getting applied. > > We have three domain controllers in out environment.No expert, and please someone correct me if I'm wrong, but: I think the samba-tool user passwordsettings are local-DC-specific, so you need to run it on all your DCs. Could it be that you configured only one DC, and your password change happens to be talking with a different DC..? MJ
Mandi! lists via samba In chel di` si favelave...> No expert, and please someone correct me if I'm wrong, but: > I think the samba-tool user passwordsettings are local-DC-specific, so you > need to run it on all your DCs. > Could it be that you configured only one DC, and your password change > happens to be talking with a different DC..?AFAIK you are wrong: the policies are on the domain (in the LDAP data, the root DN, look at them!). AFAIK is the 'privileges' that are host-specific. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
You guys mix to things.> AFAIK is the 'privileges' that are host-specific.Is correct.>the policies are on the domain (in the LDAP data, > the root DN, look at them!).Yes, but only the GPO policies and these are not applied to the samba server. And because of that, samba-tools password settings needs to be set on every DC. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Marco Gaiarin via samba > Verzonden: dinsdag 21 november 2017 11:36 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Time synchronization and Password Policies > > Mandi! lists via samba > In chel di` si favelave... > > > No expert, and please someone correct me if I'm wrong, but: > > I think the samba-tool user passwordsettings are > local-DC-specific, so you > > need to run it on all your DCs. > > Could it be that you configured only one DC, and your > password change > > happens to be talking with a different DC..? > > AFAIK you are wrong: the policies are on the domain (in the LDAP data, > the root DN, look at them!). > > AFAIK is the 'privileges' that are host-specific. > > -- > dott. Marco Gaiarin GNUPG > Key ID: 240A3D66 > Associazione ``La Nostra Famiglia'' > http://www.lanostrafamiglia.it/ > Polo FVG - Via della Bontà, 7 - 33078 - San Vito al > Tagliamento (PN) > marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 > f +39-0434-842797 > > Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! > http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 > (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA) > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
On 11/21/2017 4:34 AM, lists via samba wrote:> Hi, > > On 21-11-2017 4:40, Anantha Raghava via samba wrote: >> >> /*Password Policies*/ >> >> Password policies are not getting enforced on the clients. Initially >> we thought that we have to set those policies using "samba-tool user >> passwordsettings" and not on Windows GPO. As this was not enforcing >> the password policies, we set the GPO with the same settings. Yet the >> same result. Password Policies are not getting applied. >> >> We have three domain controllers in out environment. > > No expert, and please someone correct me if I'm wrong, but: > > I think the samba-tool user passwordsettings are local-DC-specific, so > you need to run it on all your DCs. > Could it be that you configured only one DC, and your password change > happens to be talking with a different DC..? > > MJ >You are correct from my own environment. Is this how a Microsoft domain behaves as well or a limit of Samba not being able to replicate these attributes? If anyone knows btw. Thanks. -- -- James