On Sat, 2023-08-26 at 11:49 +0200, Peter Milesson via samba wrote:> Hi folks, > > I just wonder why it is not possible to set domain password policies > with GPO, using the Windows RSAT Group Policy Manager? For most > other > settings, using GPOs through RSAT works. > > For somebody who sets up a Samba AD DC infrequently, this is a huge > trap. There should be a very visible warning on the AD DC setup wiki > page, that you *must* setup password policies with samba-tool, if > you > plan to change the default password policies (which I assume most > will > do). It should also be very clearly noted that it is not possible to > do > this with RSAT (as lots of people will try that anyway). This > warning > should also be displayed on the Group Policy wiki page. If there are > other GPO policies that can not be set with RSAT, those should also > be > listed.Thanks Peter for reaching out on this, So, the challenge is that in the past, Samba didn't know how to read these, and the settings were just ignored. Now it can, but given there are now existing domains, which setting should be primary, the one in the DB or the one in the GPO? That is why the smb.conf setting "apply group policies" needs to be set to Yes if the GPO approach is to be taken. Feel free to ask for a wiki account to point out this if you feel it would be helpful. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead https://catalyst.net.nz/services/samba Catalyst.Net Ltd Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group company Samba Development and Support: https://catalyst.net.nz/services/samba Catalyst IT - Expert Open Source Solutions
On 27.08.2023 23:45, Andrew Bartlett via samba wrote:> On Sat, 2023-08-26 at 11:49 +0200, Peter Milesson via samba wrote: >> Hi folks, >> >> I just wonder why it is not possible to set domain password policies >> with GPO, using the Windows RSAT Group Policy Manager? For most >> other >> settings, using GPOs through RSAT works. >> >> For somebody who sets up a Samba AD DC infrequently, this is a huge >> trap. There should be a very visible warning on the AD DC setup wiki >> page, that you *must* setup password policies with samba-tool, if >> you >> plan to change the default password policies (which I assume most >> will >> do). It should also be very clearly noted that it is not possible to >> do >> this with RSAT (as lots of people will try that anyway). This >> warning >> should also be displayed on the Group Policy wiki page. If there are >> other GPO policies that can not be set with RSAT, those should also >> be >> listed. > Thanks Peter for reaching out on this, > > So, the challenge is that in the past, Samba didn't know how to read > these, and the settings were just ignored. > > Now it can, but given there are now existing domains, which setting > should be primary, the one in the DB or the one in the GPO? > > That is why the smb.conf setting "apply group policies" needs to be set > to Yes if the GPO approach is to be taken. > > Feel free to ask for a wiki account to point out this if you feel it > would be helpful. > > Andrew Bartlett > >Hi Andrew, Many thanks for the information. I guess, which of the methods for setting password policies depends on local conditions, and admin preferences and experience. In a mainly Windows oriented domain, setting things through the GPMC would be the preferred way, and in a mixed, or Linux oriented domain, with samba-tool. What I pointed out in my original post was, the absence of information about GPO handling in the Samba wiki, when setting up a new AD DC. IMHO this information is absolutely essential for successful domain operations with Windows. Even in a fairly small domain with a Samba AD DC, a server (Samba or Windows), and a few workstations, operations will be quite impaired without applying at least a few essential GPOs. In my particular case, folder redirection, and a few other things. I couldn't imagine setting up the domain without GPOs, and it would end up in a horrible mess. So, just a few lines and a link to the GPO wiki page in the instructions for setting up a Samba AD DC, will be sufficient. In the GPO wiki page, your information about the "apply group policies" should not be missing, as well as a link to David Mulder's GPO "bible" (https://dmulder.github.io/group-policy-book/sec.html), which Rowland kindly pointed out. Once again, many thanks, it helps a lot. Best regards, Peter
On 27.08.2023 23:45, Andrew Bartlett wrote:> On Sat, 2023-08-26 at 11:49 +0200, Peter Milesson via samba wrote: >> Hi folks, >> >> I just wonder why it is not possible to set domain password policies >> with GPO, using the Windows RSAT Group Policy Manager? For most >> other >> settings, using GPOs through RSAT works. >> >> For somebody who sets up a Samba AD DC infrequently, this is a huge >> trap. There should be a very visible warning on the AD DC setup wiki >> page, that you *must* setup password policies with samba-tool, if >> you >> plan to change the default password policies (which I assume most >> will >> do). It should also be very clearly noted that it is not possible to >> do >> this with RSAT (as lots of people will try that anyway). This >> warning >> should also be displayed on the Group Policy wiki page. If there are >> other GPO policies that can not be set with RSAT, those should also >> be >> listed. > Thanks Peter for reaching out on this, > > So, the challenge is that in the past, Samba didn't know how to read > these, and the settings were just ignored. > > Now it can, but given there are now existing domains, which setting > should be primary, the one in the DB or the one in the GPO? > > That is why the smb.conf setting "apply group policies" needs to be set > to Yes if the GPO approach is to be taken. > > Feel free to ask for a wiki account to point out this if you feel it > would be helpful. > > Andrew Bartlett > >Hi folks, I've tried to get password policies setting using the Windows GPMC from RSAT working. Unfortunately, no change. It just does not work. Here is the smb.conf for the AD DC: # Global parameters [global] ??????? dns forwarder = 78.110.208.34 ??????? netbios name = TESTADC1 ??????? realm = TESTDOM.TALPS ??????? server role = active directory domain controller ??????? workgroup = TESTDOM ??????? idmap_ldb:use rfc2307 = yes ??????? apply group policies = yes [sysvol] ??????? path = /var/lib/samba/sysvol ??????? read only = No [netlogon] ??????? path = /var/lib/samba/sysvol/testdom.talps/scripts ??????? read only = No The only way to set password policies for the domain, still seems to be through samba-tool domain passwordsettings and the parameter "apply group policies" has got no effect at all. If I create a gpresult.html file on a Windows member PC, it shows the settings I have set with the Windows Group Policy Management Editor (GPME), but when setting a password for a user in Active Directory Users and Computers, the settings are not honored. In GPME there is also the folder Samba\smb.conf, where the different password policy parameters can be set. No effect at all. In practice, this is not a big deal. You probably set the domain password policies once, and forget about it. I'm not going to waste more time on this. Just use samba-tool domain passwordsettings for setting password policies, and forget about GPMC. Best regards, Peter