On Wed, 30 Aug 2023 12:40:08 +0200 Peter Milesson via samba <samba at lists.samba.org> wrote:> > > On 30.08.2023 11:58, Rowland Penny via samba wrote: > > On Wed, 30 Aug 2023 09:49:05 +0200 > > Peter Milesson via samba <samba at lists.samba.org> wrote: > > > >> > >> On 29.08.2023 21:38, Andrew Bartlett via samba wrote: > >>> On Tue, 2023-08-29 at 12:58 +0200, Peter Milesson via samba wrote: > >>>> On 27.08.2023 23:45, Andrew Bartlett wrote: > >>>>> On Sat, 2023-08-26 at 11:49 +0200, Peter Milesson via samba > >>>>> wrote: > >>>>>> Hi folks, > >>>>>> I just wonder why it is not possible to set domain password > >>>>>> policieswith GPO, using the Windows RSAT Group Policy Manager? > >>>>>> For mostothersettings, using GPOs through RSAT works. > >>>>>> For somebody who sets up a Samba AD DC infrequently, this is a > >>>>>> hugetrap. There should be a very visible warning on the AD DC > >>>>>> setup wikipage, that you *must* setup password policies with > >>>>>> samba-tool, ifyouplan to change the default password policies > >>>>>> (which I assume mostwilldo). It should also be very clearly > >>>>>> noted that it is not possible todothis with RSAT (as lots of > >>>>>> people will try that anyway). Thiswarningshould also be > >>>>>> displayed on the Group Policy wiki page. If there areother GPO > >>>>>> policies that can not be set with RSAT, those should > >>>>>> alsobelisted. > >>>>> Thanks Peter for reaching out on this, > >>>>> So, the challenge is that in the past, Samba didn't know how to > >>>>> readthese, and the settings were just ignored. > >>>>> Now it can, but given there are now existing domains, which > >>>>> settingshould be primary, the one in the DB or the one in the > >>>>> GPO? That is why the smb.conf setting "apply group policies" > >>>>> needs to be setto Yes if the GPO approach is to be taken. > >>>>> Feel free to ask for a wiki account to point out this if you > >>>>> feel itwould be helpful. > >>>>> Andrew Bartlett > >>>>> > >>>> Hi folks, > >>>> I've tried to get password policies setting using the Windows > >>>> GPMC from RSAT working. Unfortunately, no change. It just does > >>>> not work. Here is the smb.conf for the AD DC: > >>>> # Global parameters[global] dns forwarder = 78.110.208.34 > >>>> netbios name = TESTADC1 realm = TESTDOM.TALPS > >>>> server role = active directory domain controller > >>>> workgroup = TESTDOM idmap_ldb:use rfc2307 = yes > >>>> apply group policies = yes > >>>> [sysvol] path = /var/lib/samba/sysvol read only > >>>> No [netlogon] path > >>>> = /var/lib/samba/sysvol/testdom.talps/scripts read only = No > >>>> The only way to set password policies for the domain, still seems > >>>> to be through samba-tool domain passwordsettings and the > >>>> parameter "apply group policies" has got no effect at all. > >>>> If I create a gpresult.html file on a Windows member PC, it shows > >>>> the settings I have set with the Windows Group Policy Management > >>>> Editor (GPME), but when setting a password for a user in Active > >>>> Directory Users and Computers, the settings are not honored. > >>>> In GPME there is also the folder Samba\smb.conf, where the > >>>> different password policy parameters can be set. No effect at > >>>> all. In practice, this is not a big deal. You probably set the > >>>> domain password policies once, and forget about it. > >>>> I'm not going to waste more time on this. Just use samba-tool > >>>> domain passwordsettings for setting password policies, and forget > >>>> about GPMC. > >>> I would also note that the even better password polices - fine > >>> grained password policies - (password setting objects) were never > >>> available via GPMC and were always directly set to the directory. > >>> We have good tooling for that in samba-tool, plus whatever windows > >>> uses would edit the same LDAP attributes. > >>> Andrew Bartlett > >>> > >> Hi Andrew, > >> > >> Thanks for the information. In my setting, standard password > >> policies are sufficient. > >> > >> Is it possible to set password policies at all using GPMC from > >> RSAT? I did not succeed, as I wrote. It's not an important issue, > >> however it would have been nice to be able to use one tool for > >> everything. In a small setting like mine (about 40 users), I just > >> set it once with samba-tool, and that's it. I would be very > >> surprised if the need ever arises to change something there. I > >> would sooner expect that there will be requirements for other > >> types of authentication that are more secure in the not so far > >> future. > >> > >> Best regards, > >> > >> Peter > >> > >> > > This got my interest, so I did a little testing from a win10 VM and > > (for myself) GPME works up to a point. > > > > I followed David Mulder's instructions, though there were a few > > errors, I could easily set things in the GPME, but they didn't seem > > to affect AD. I turned of password complexity and set min password > > length to 8, this was not reflected in AD. > > I then wondered if it was altering sysvol, so I checked and: > > > > sudo > > cat /var/lib/samba/sysvol/samdom.example.com/Policies/'{31B2F340-016D-11D2-945F-00C04FB984F9}'/MACHINE/Microsoft/'Windows > > NT'/SecEdit/GptTmpl.inf ??[Unicode] Unicode=yes > > [Version] > > signature="$CHICAGO$" > > Revision=1 > > [System Access] > > MinimumPasswordLength = 8 > > PasswordComplexity = 0 > > [Registry Values] > > > > And when I turned password complexity back on through GPME: > > > > ??[Unicode] > > Unicode=yes > > [Version] > > signature="$CHICAGO$" > > Revision=1 > > [System Access] > > MinimumPasswordLength = 8 > > PasswordComplexity = 1 > > [Registry Values] > > > > So it looks like it is halfway there, it is creating the GPO in > > sysvol. I ran samba-gpupdate, but it either does nothing or crashes. > > > > Rowland > > > Hi Rowland, > > I set the parameter "apply group policies = yes" in smb.conf as > Andrew suggested (I even tried in GPME/Administrative > templats/Samba/smb.conf). Then I set password policies through GPME. > Every time I do something in GPMC/GPME, it seems that the permissions > under sysvol become disturbed (using samba-tool ntacl sysvolcheck), > but was fixed by a sysvolreset (this is another matter). > Subsequently, I checked up the entries in GPME, and they were exactly > as I had set them with GPME. Running a GPRESULT in Windows showed > that policies set with GPME were applied. Running "samba-tool domain > passwordsettings show", does not reflect anything set with > GPME.gpo_version Testing by adding a new user to AD, confirms that > the samba-tool settings are those that get applied, not what I set > with GPME. A bit weird. > > Presently, the problem is more of an academic nature. I can live with > that, as it's more like set and forget. I may have forgot something > essential, but I don't think so. I guess this needs a bit more work > in the code. Nothing high priority, I guess, as it's not a show > stopper. But it should be duly noted in the Wiki. > > Best regards, > > PeterThe problem is, from my point of view, David Mulder created a document about Samba and GPOs, part of which seems to suggest that, at some time, setting password attributes with GPME worked, well, I cannot get to work now. After reading the code for gpclass.py, it looks like the python code looks for 'version' in a cache file, this cache file is empty, probably because the domain controllers GPO is an empty GPO when first created. This does lead to a question, AD GPOs are stored on disk in sysvol and also in AD, so why does Samba require yet another copy in a cache ? If I change the output of 'gpo_version' from gpclass.py to return an integer, samba-gpupdate no longer crashes, it still doesn't work, but it no longer crashes. Rowland
On 30.08.2023 16:21, Rowland Penny via samba wrote:> On Wed, 30 Aug 2023 12:40:08 +0200 > Peter Milesson via samba <samba at lists.samba.org> wrote: > >> >> On 30.08.2023 11:58, Rowland Penny via samba wrote: >>> On Wed, 30 Aug 2023 09:49:05 +0200 >>> Peter Milesson via samba <samba at lists.samba.org> wrote: >>> >>>> On 29.08.2023 21:38, Andrew Bartlett via samba wrote: >>>>> On Tue, 2023-08-29 at 12:58 +0200, Peter Milesson via samba wrote: >>>>>> On 27.08.2023 23:45, Andrew Bartlett wrote: >>>>>>> On Sat, 2023-08-26 at 11:49 +0200, Peter Milesson via samba >>>>>>> wrote: >>>>>>>> Hi folks, >>>>>>>> I just wonder why it is not possible to set domain password >>>>>>>> policieswith GPO, using the Windows RSAT Group Policy Manager? >>>>>>>> For mostothersettings, using GPOs through RSAT works. >>>>>>>> For somebody who sets up a Samba AD DC infrequently, this is a >>>>>>>> hugetrap. There should be a very visible warning on the AD DC >>>>>>>> setup wikipage, that you *must* setup password policies with >>>>>>>> samba-tool, ifyouplan to change the default password policies >>>>>>>> (which I assume mostwilldo). It should also be very clearly >>>>>>>> noted that it is not possible todothis with RSAT (as lots of >>>>>>>> people will try that anyway). Thiswarningshould also be >>>>>>>> displayed on the Group Policy wiki page. If there areother GPO >>>>>>>> policies that can not be set with RSAT, those should >>>>>>>> alsobelisted. >>>>>>> Thanks Peter for reaching out on this, >>>>>>> So, the challenge is that in the past, Samba didn't know how to >>>>>>> readthese, and the settings were just ignored. >>>>>>> Now it can, but given there are now existing domains, which >>>>>>> settingshould be primary, the one in the DB or the one in the >>>>>>> GPO? That is why the smb.conf setting "apply group policies" >>>>>>> needs to be setto Yes if the GPO approach is to be taken. >>>>>>> Feel free to ask for a wiki account to point out this if you >>>>>>> feel itwould be helpful. >>>>>>> Andrew Bartlett >>>>>>> >>>>>> Hi folks, >>>>>> I've tried to get password policies setting using the Windows >>>>>> GPMC from RSAT working. Unfortunately, no change. It just does >>>>>> not work. Here is the smb.conf for the AD DC: >>>>>> # Global parameters[global] dns forwarder = 78.110.208.34 >>>>>> netbios name = TESTADC1 realm = TESTDOM.TALPS >>>>>> server role = active directory domain controller >>>>>> workgroup = TESTDOM idmap_ldb:use rfc2307 = yes >>>>>> apply group policies = yes >>>>>> [sysvol] path = /var/lib/samba/sysvol read only >>>>>> No [netlogon] path >>>>>> = /var/lib/samba/sysvol/testdom.talps/scripts read only = No >>>>>> The only way to set password policies for the domain, still seems >>>>>> to be through samba-tool domain passwordsettings and the >>>>>> parameter "apply group policies" has got no effect at all. >>>>>> If I create a gpresult.html file on a Windows member PC, it shows >>>>>> the settings I have set with the Windows Group Policy Management >>>>>> Editor (GPME), but when setting a password for a user in Active >>>>>> Directory Users and Computers, the settings are not honored. >>>>>> In GPME there is also the folder Samba\smb.conf, where the >>>>>> different password policy parameters can be set. No effect at >>>>>> all. In practice, this is not a big deal. You probably set the >>>>>> domain password policies once, and forget about it. >>>>>> I'm not going to waste more time on this. Just use samba-tool >>>>>> domain passwordsettings for setting password policies, and forget >>>>>> about GPMC. >>>>> I would also note that the even better password polices - fine >>>>> grained password policies - (password setting objects) were never >>>>> available via GPMC and were always directly set to the directory. >>>>> We have good tooling for that in samba-tool, plus whatever windows >>>>> uses would edit the same LDAP attributes. >>>>> Andrew Bartlett >>>>> >>>> Hi Andrew, >>>> >>>> Thanks for the information. In my setting, standard password >>>> policies are sufficient. >>>> >>>> Is it possible to set password policies at all using GPMC from >>>> RSAT? I did not succeed, as I wrote. It's not an important issue, >>>> however it would have been nice to be able to use one tool for >>>> everything. In a small setting like mine (about 40 users), I just >>>> set it once with samba-tool, and that's it. I would be very >>>> surprised if the need ever arises to change something there. I >>>> would sooner expect that there will be requirements for other >>>> types of authentication that are more secure in the not so far >>>> future. >>>> >>>> Best regards, >>>> >>>> Peter >>>> >>>> >>> This got my interest, so I did a little testing from a win10 VM and >>> (for myself) GPME works up to a point. >>> >>> I followed David Mulder's instructions, though there were a few >>> errors, I could easily set things in the GPME, but they didn't seem >>> to affect AD. I turned of password complexity and set min password >>> length to 8, this was not reflected in AD. >>> I then wondered if it was altering sysvol, so I checked and: >>> >>> sudo >>> cat /var/lib/samba/sysvol/samdom.example.com/Policies/'{31B2F340-016D-11D2-945F-00C04FB984F9}'/MACHINE/Microsoft/'Windows >>> NT'/SecEdit/GptTmpl.inf ??[Unicode] Unicode=yes >>> [Version] >>> signature="$CHICAGO$" >>> Revision=1 >>> [System Access] >>> MinimumPasswordLength = 8 >>> PasswordComplexity = 0 >>> [Registry Values] >>> >>> And when I turned password complexity back on through GPME: >>> >>> ??[Unicode] >>> Unicode=yes >>> [Version] >>> signature="$CHICAGO$" >>> Revision=1 >>> [System Access] >>> MinimumPasswordLength = 8 >>> PasswordComplexity = 1 >>> [Registry Values] >>> >>> So it looks like it is halfway there, it is creating the GPO in >>> sysvol. I ran samba-gpupdate, but it either does nothing or crashes. >>> >>> Rowland >>> >> Hi Rowland, >> >> I set the parameter "apply group policies = yes" in smb.conf as >> Andrew suggested (I even tried in GPME/Administrative >> templats/Samba/smb.conf). Then I set password policies through GPME. >> Every time I do something in GPMC/GPME, it seems that the permissions >> under sysvol become disturbed (using samba-tool ntacl sysvolcheck), >> but was fixed by a sysvolreset (this is another matter). >> Subsequently, I checked up the entries in GPME, and they were exactly >> as I had set them with GPME. Running a GPRESULT in Windows showed >> that policies set with GPME were applied. Running "samba-tool domain >> passwordsettings show", does not reflect anything set with >> GPME.gpo_version Testing by adding a new user to AD, confirms that >> the samba-tool settings are those that get applied, not what I set >> with GPME. A bit weird. >> >> Presently, the problem is more of an academic nature. I can live with >> that, as it's more like set and forget. I may have forgot something >> essential, but I don't think so. I guess this needs a bit more work >> in the code. Nothing high priority, I guess, as it's not a show >> stopper. But it should be duly noted in the Wiki. >> >> Best regards, >> >> Peter > The problem is, from my point of view, David Mulder created a document > about Samba and GPOs, part of which seems to suggest that, at some > time, setting password attributes with GPME worked, well, I cannot get > to work now. > > After reading the code for gpclass.py, it looks like the python code > looks for 'version' in a cache file, this cache file is empty, > probably because the domain controllers GPO is an empty GPO when > first created. This does lead to a question, AD GPOs are stored on > disk in sysvol and also in AD, so why does Samba require yet another > copy in a cache ? > > If I change the output of 'gpo_version' from gpclass.py to return an > integer, samba-gpupdate no longer crashes, it still doesn't work, but > it no longer crashes. > > Rowland > > >Hi Rowland, I would like to have Andrew's comments about this (and if possible, also from David Mulder). Obviously, it does not work. I don't get any errors at all, no crashes, nothing in the journal, nor in the Samba logs (Debian Bookworm 12.1, Samba 4.18.6 from bookworm-backports). I'm not particularly at home in python programming, and have got nothing to add here. But I love to tinker with things that do not work. At the moment however, I'm quite time constrained, otherwise I'd give it a shot... Best regards Peter
On 8/30/23 8:21 AM, Rowland Penny via samba wrote:> After reading the code for gpclass.py, it looks like the python code > looks for 'version' in a cache file, this cache file is empty, > probably because the domain controllers GPO is an empty GPO when > first created. This does lead to a question, AD GPOs are stored on > disk in sysvol and also in AD, so why does Samba require yet another > copy in a cache ?You're assuming the policies are running on an ADDC. The group policy code assumes it's running on a client, and pulls a copy of the SYSVOL to a cache. Of course we could read directly from the SYSVOL when on the ADDC, but that's an optimization that hasn't happened. -- David Mulder Labs Software Engineer, Samba SUSE 1221 S Valley Grove Way, Suite 500 Pleasant Grove, UT 84062 (P)+1 385.208.2989 dmulder at suse.com http://www.suse.com
On 8/30/23 8:21 AM, Rowland Penny via samba wrote:> > If I change the output of 'gpo_version' from gpclass.py to return an > integer, samba-gpupdate no longer crashes, it still doesn't work, but > it no longer crashes.It occurs to me there was actually a bug in the `samba-tool gpo manage security set` command that failed to initialize the gpo version. This was bug https://bugzilla.samba.org/show_bug.cgi?id=15327 which was fixed in March. Perhaps this is at least the initial issue we're encountering? Although, using the GPME to set these policies would have avoided that problem. Something to keep in mind, it's good practice to use the latest stable version of samba-tool (perhaps from a different machine) to modify the SYSVOL using the `samba-tool gpo manage` command, not necessarily the stable version released by your distro. -- David Mulder Labs Software Engineer, Samba SUSE 1221 S Valley Grove Way, Suite 500 Pleasant Grove, UT 84062 (P)+1 385.208.2989 dmulder at suse.com http://www.suse.com