On 11/21/2017 4:34 AM, lists via samba wrote:> Hi, > > On 21-11-2017 4:40, Anantha Raghava via samba wrote: >> >> /*Password Policies*/ >> >> Password policies are not getting enforced on the clients. Initially >> we thought that we have to set those policies using "samba-tool user >> passwordsettings" and not on Windows GPO. As this was not enforcing >> the password policies, we set the GPO with the same settings. Yet the >> same result. Password Policies are not getting applied. >> >> We have three domain controllers in out environment. > > No expert, and please someone correct me if I'm wrong, but: > > I think the samba-tool user passwordsettings are local-DC-specific, so > you need to run it on all your DCs. > Could it be that you configured only one DC, and your password change > happens to be talking with a different DC..? > > MJ >You are correct from my own environment. Is this how a Microsoft domain behaves as well or a limit of Samba not being able to replicate these attributes? If anyone knows btw. Thanks. -- -- James
On Tue, 2017-11-21 at 09:02 -0500, lingpanda101 via samba wrote:> On 11/21/2017 4:34 AM, lists via samba wrote: > > Hi, > > > > On 21-11-2017 4:40, Anantha Raghava via samba wrote: > > > > > > /*Password Policies*/ > > > > > > Password policies are not getting enforced on the clients. Initially > > > we thought that we have to set those policies using "samba-tool user > > > passwordsettings" and not on Windows GPO. As this was not enforcing > > > the password policies, we set the GPO with the same settings. Yet the > > > same result. Password Policies are not getting applied. > > > > > > We have three domain controllers in out environment. > > > > No expert, and please someone correct me if I'm wrong, but: > > > > I think the samba-tool user passwordsettings are local-DC-specific, so > > you need to run it on all your DCs. > > Could it be that you configured only one DC, and your password change > > happens to be talking with a different DC..? > > > > MJ > > > > You are correct from my own environment. > > Is this how a Microsoft domain behaves as well or a limit of Samba > not being able to replicate these attributes? If anyone knows btw. Thanks.MJ's statement is not correct. The password policy attributes are replicated, the configuration only needs to be done on a single DC. Additionally, for Samba 4.8 it will (currently off by default) be possible for a DC to read the password policy and other security settings from the GPO files. Thanks, Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Development and Support, Catalyst IT https://catalyst.net.nz/services/samba
On 11/21/2017 4:59 PM, Andrew Bartlett wrote:> On Tue, 2017-11-21 at 09:02 -0500, lingpanda101 via samba wrote: >> On 11/21/2017 4:34 AM, lists via samba wrote: >>> Hi, >>> >>> On 21-11-2017 4:40, Anantha Raghava via samba wrote: >>>> /*Password Policies*/ >>>> >>>> Password policies are not getting enforced on the clients. Initially >>>> we thought that we have to set those policies using "samba-tool user >>>> passwordsettings" and not on Windows GPO. As this was not enforcing >>>> the password policies, we set the GPO with the same settings. Yet the >>>> same result. Password Policies are not getting applied. >>>> >>>> We have three domain controllers in out environment. >>> No expert, and please someone correct me if I'm wrong, but: >>> >>> I think the samba-tool user passwordsettings are local-DC-specific, so >>> you need to run it on all your DCs. >>> Could it be that you configured only one DC, and your password change >>> happens to be talking with a different DC..? >>> >>> MJ >>> >> You are correct from my own environment. >> >> Is this how a Microsoft domain behaves as well or a limit of Samba >> not being able to replicate these attributes? If anyone knows btw. Thanks. > MJ's statement is not correct. The password policy attributes are > replicated, the configuration only needs to be done on a single DC. > > Additionally, for Samba 4.8 it will (currently off by default) be > possible for a DC to read the password policy and other security > settings from the GPO files. > > Thanks, > > Andrew Bartlett >Andrew, Just tested a change on 4.7 and sure enough the replication was instantaneous. I haven't made changes to my password settings in some time, so not sure when things improved, but this wasn't always the case. I wonder in my case if it was merely a delay in replication and at some point it would have been reflected on the other DC's. -- -- James