AFAI've understood 'samba-tool domain passwordsettings' set domain password settings, while the GPO equivalent settings is for the client (windows client and server os). Currently i've enabled password complexity checks server side: root at vdcsv1:~# samba-tool domain passwordsettings show Password informations for domain 'DC=ad,DC=fvg,DC=lnf,DC=it' Password complexity: on Store plaintext passwords: off Password history length: 5 Minimum password length: 8 Minimum password age (days): 0 Maximum password age (days): 90 Account lockout duration (mins): 30 Account lockout threshold (attempts): 5 Reset account lockout after (mins): 5 mostly because i need custom policy (eg, a 'check password script'). But i've disabled them in GPO, but still local users (eg, Administrator) seems have that policy applied: net user Administrator kaaPxvqEXW La password non soddisfa i requisiti dei Criteri di password. Verificare la lunghezza minima della password, la complessit\205 della password e i requisiti della cronologia della password. Ulteriori informazioni sono disponibili digitando NET HELPMSG 2245. 'net user Administrator' does not impact on 'Password history length' (eg, i can set the same password), so the only things i can hit is the 'Password complexity', because the password does not contain punctuation. Nota that password like that are generated with a script ('winadminpassword'), and when the generated password have a punctuation char, windows get the password as expected. Someone have some clue?! Thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
On Thu, 21 Jun 2018 09:55:59 +0200 Marco Gaiarin via samba <samba at lists.samba.org> wrote:> > AFAI've understood 'samba-tool domain passwordsettings' set domain > password settings, while the GPO equivalent settings is for the client > (windows client and server os). > > Currently i've enabled password complexity checks server side: > > root at vdcsv1:~# samba-tool domain passwordsettings show > Password informations for domain 'DC=ad,DC=fvg,DC=lnf,DC=it' > > Password complexity: on > Store plaintext passwords: off > Password history length: 5 > Minimum password length: 8 > Minimum password age (days): 0 > Maximum password age (days): 90 > Account lockout duration (mins): 30 > Account lockout threshold (attempts): 5 > Reset account lockout after (mins): 5 > > mostly because i need custom policy (eg, a 'check password script'). > > > But i've disabled them in GPO, but still local users (eg, > Administrator) seems have that policy applied: > > net user Administrator kaaPxvqEXW > La password non soddisfa i requisiti dei Criteri di password. > Verificare la lunghezza minima della password, la complessit\205 > della password e i requisiti della cronologia della password. > Ulteriori informazioni sono disponibili digitando NET HELPMSG 2245. > > 'net user Administrator' does not impact on 'Password history length' > (eg, i can set the same password), so the only things i can hit is the > 'Password complexity', because the password does not contain > punctuation.It doesn't have to contain punctuation: The password contains characters from three of the following categories: Uppercase letters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters) Lowercase letters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters) Base 10 digits (0 through 9) Non-alphanumeric characters (special characters): (~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/) Currency symbols such as the Euro or British Pound are not counted as special characters for this policy setting. Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages. So, as I am sure you can see, 'kaaPxvqEXW' only passes the first two. It contains uppercase and lowercase, but neither numbers or punctuation. I think you need to look very closely at your 'winadminpassword' script, it should only produce passwords that meet your set complexity, perhaps tie it into obtaining the complexity set in AD. Rowland> > Nota that password like that are generated with a script > ('winadminpassword'), and when the generated password have a > punctuation char, windows get the password as expected. > > > Someone have some clue?! Thanks. >
Mandi! Rowland Penny via samba In chel di` si favelave...> It doesn't have to contain punctuation:Ahem, i've write 'punctuation' but i meant 'Non-alphanumeric characters'. Sorry.> So, as I am sure you can see, 'kaaPxvqEXW' only passes the first two. > It contains uppercase and lowercase, but neither numbers or punctuation.Exactly i supposed. Thanks.> I think you need to look very closely at your 'winadminpassword' > script, it should only produce passwords that meet your set complexity, > perhaps tie it into obtaining the complexity set in AD.Ok. True. But my question really is: why this policy apply, if i've not enabled in GPO? -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)