tomek82
2019-Sep-22 18:05 UTC
[Samba] Join DC has failed with error: NT_STATUS_PASSWORD_RESTRICTION
Hi, I've joined samba DC to existing windows domain using: samba-tool domain join ***.** DC -U"***\admin" --dns-backend=BIND9_DLZ It has stopped on Adding DNS account CN=dns-DC... with the below error. ERROR(runtime): uncaught exception - (-1073741716, 'SetUserInfo2 level 26 for [dns-DC] failed: NT_STATUS_PASSWORD_RESTRICTION') when the BIND9_DLZ is not specified the join is finished without any errors. How can I join with Bind backend? Thanks, Tom
Rowland penny
2019-Sep-22 18:23 UTC
[Samba] Join DC has failed with error: NT_STATUS_PASSWORD_RESTRICTION
On 22/09/2019 19:05, tomek82 via samba wrote:> Hi, > > I've joined samba DC to existing windows domain using:You say 'existing windows domain', but what is the Windows domain ?> > samba-tool domain join ***.** DC -U"***\admin" --dns-backend=BIND9_DLZ > > It has stopped on > > Adding DNS account CN=dns-DC... > > with the below error. > > ERROR(runtime): uncaught exception - (-1073741716, 'SetUserInfo2 level 26 for [dns-DC] failed: NT_STATUS_PASSWORD_RESTRICTION')This would seem to mean the password isn't complex enough, but the password should be random, so is the Windows domain set to have extremely complex passwords ? What version of Samba are you running ? And on what OS ? Rowland
Andrew Bartlett
2019-Sep-22 20:22 UTC
[Samba] Join DC has failed with error: NT_STATUS_PASSWORD_RESTRICTION
On Sun, 2019-09-22 at 19:23 +0100, Rowland penny via samba wrote:> On 22/09/2019 19:05, tomek82 via samba wrote: > > Hi, > > > > I've joined samba DC to existing windows domain using: > > You say 'existing windows domain', but what is the Windows domain ? > > > > samba-tool domain join ***.** DC -U"***\admin" --dns- > > backend=BIND9_DLZ > > > > It has stopped on > > > > Adding DNS account CN=dns-DC... > > > > with the below error. > > > > ERROR(runtime): uncaught exception - (-1073741716, 'SetUserInfo2 > > level 26 for [dns-DC] failed: NT_STATUS_PASSWORD_RESTRICTION') > > This would seem to mean the password isn't complex enough, but the > password should be random, so is the Windows domain set to have > extremely complex passwords ?Samba doesn't implement it, but I was reading the MS-SAMR spec last week and there is a maximum password length. That might be causing the trouble. The dns-* account is created as a 'normal' account, so password restrictions apply (unlike machine accounts used for the DC). Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba
Marco Gaiarin
2019-Sep-23 07:25 UTC
[Samba] Join DC has failed with error: NT_STATUS_PASSWORD_RESTRICTION
Mandi! tomek82 via samba In chel di` si favelave...> ERROR(runtime): uncaught exception - (-1073741716, 'SetUserInfo2 level 26 for [dns-DC] failed: NT_STATUS_PASSWORD_RESTRICTION')You have a 'check password script' enabled in smb.conf? Try to do (on a DC): samba-tool domain passwordsettings set --complexity=off and try again the join, then clearly re-enable it: samba-tool domain passwordsettings set --complexity=on -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bont?, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Rowland penny
2019-Sep-23 07:59 UTC
[Samba] Join DC has failed with error: NT_STATUS_PASSWORD_RESTRICTION
On 23/09/2019 08:25, Marco Gaiarin via samba wrote:> Mandi! tomek82 via samba > In chel di` si favelave... > >> ERROR(runtime): uncaught exception - (-1073741716, 'SetUserInfo2 level 26 for [dns-DC] failed: NT_STATUS_PASSWORD_RESTRICTION') > You have a 'check password script' enabled in smb.conf? > > Try to do (on a DC): > > samba-tool domain passwordsettings set --complexity=off > > and try again the join, then clearly re-enable it: > > samba-tool domain passwordsettings set --complexity=on >Sorry Marco, but this has nothing to do with the OP's smb.conf, good thought though ;-) It looks like Windows does things in a different way to Samba, everything I can find tells me the maximum user password length is 127 characters if created in a GUI, but up to 256 characters if done programmatically? (i.e. in a script) Andrew referred to the MS-SAMR spec, it might have helped if he had said just what part. When Samba creates the 'dns-*' user for a DC using bind9, it uses a random password between 128 and 256 characters in length, so should be suitable. The only thing I can think of is, somehow the maximum password length or complexity is set differently on the Windows DC that the OP is attempting to join the Samba DC to. This is only a problem for the OP because he attempted to join with Bind9, the affected code is not run if you use the internal dns server. Rowland
Andrew Bartlett
2019-Sep-23 08:24 UTC
[Samba] Join DC has failed with error: NT_STATUS_PASSWORD_RESTRICTION
On Mon, 2019-09-23 at 09:25 +0200, Marco Gaiarin via samba wrote:> Mandi! tomek82 via samba > In chel di` si favelave... > > > ERROR(runtime): uncaught exception - (-1073741716, 'SetUserInfo2 level 26 for [dns-DC] failed: NT_STATUS_PASSWORD_RESTRICTION') > > You have a 'check password script' enabled in smb.conf?If I read the thread correctly, it was against a windows DC. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Maybe Matching Threads
- Join DC has failed with error: NT_STATUS_PASSWORD_RESTRICTION
- Join DC has failed with error: NT_STATUS_PASSWORD_RESTRICTION
- Time synchronization and Password Policies
- Time synchronization and Password Policies
- Force password complexity on NT4 style domain (Samba 4.6.4)