On Wed, 30 Aug 2023 18:56:48 +0200
Peter Milesson via samba <samba at lists.samba.org> wrote:
>
>
> On 30.08.2023 16:21, Rowland Penny via samba wrote:
> > On Wed, 30 Aug 2023 12:40:08 +0200
> > Peter Milesson via samba <samba at lists.samba.org> wrote:
> >
> >>
> >> On 30.08.2023 11:58, Rowland Penny via samba wrote:
> >>> On Wed, 30 Aug 2023 09:49:05 +0200
> >>> Peter Milesson via samba <samba at lists.samba.org>
wrote:
> >>>
> >>>> On 29.08.2023 21:38, Andrew Bartlett via samba wrote:
> >>>>> On Tue, 2023-08-29 at 12:58 +0200, Peter Milesson via
samba
> >>>>> wrote:
> >>>>>> On 27.08.2023 23:45, Andrew Bartlett wrote:
> >>>>>>> On Sat, 2023-08-26 at 11:49 +0200, Peter
Milesson via samba
> >>>>>>> wrote:
> >>>>>>>> Hi folks,
> >>>>>>>> I just wonder why it is not possible to
set domain password
> >>>>>>>> policieswith GPO, using the Windows RSAT
Group Policy
> >>>>>>>> Manager? For mostothersettings, using GPOs
through RSAT
> >>>>>>>> works. For somebody who sets up a Samba AD
DC infrequently,
> >>>>>>>> this is a hugetrap. There should be a very
visible warning
> >>>>>>>> on the AD DC setup wikipage, that you
*must* setup password
> >>>>>>>> policies with samba-tool, ifyouplan to
change the default
> >>>>>>>> password policies (which I assume
mostwilldo). It should
> >>>>>>>> also be very clearly noted that it is not
possible todothis
> >>>>>>>> with RSAT (as lots of people will try that
anyway).
> >>>>>>>> Thiswarningshould also be displayed on the
Group Policy wiki
> >>>>>>>> page. If there areother GPO policies that
can not be set
> >>>>>>>> with RSAT, those should alsobelisted.
> >>>>>>> Thanks Peter for reaching out on this,
> >>>>>>> So, the challenge is that in the past, Samba
didn't know how
> >>>>>>> to readthese, and the settings were just
ignored.
> >>>>>>> Now it can, but given there are now existing
domains, which
> >>>>>>> settingshould be primary, the one in the DB or
the one in the
> >>>>>>> GPO? That is why the smb.conf setting
"apply group policies"
> >>>>>>> needs to be setto Yes if the GPO approach is
to be taken.
> >>>>>>> Feel free to ask for a wiki account to point
out this if you
> >>>>>>> feel itwould be helpful.
> >>>>>>> Andrew Bartlett
> >>>>>>>
> >>>>>> Hi folks,
> >>>>>> I've tried to get password policies setting
using the Windows
> >>>>>> GPMC from RSAT working. Unfortunately, no change.
It just does
> >>>>>> not work. Here is the smb.conf for the AD DC:
> >>>>>> # Global parameters[global] dns forwarder
> >>>>>> 78.110.208.34 netbios name = TESTADC1
realm > >>>>>> TESTDOM.TALPS server role = active directory
domain controller
> >>>>>> workgroup = TESTDOM idmap_ldb:use rfc2307
= yes
> >>>>>> apply group policies = yes
> >>>>>> [sysvol] path = /var/lib/samba/sysvol
read
> >>>>>> only = No [netlogon] path
> >>>>>> = /var/lib/samba/sysvol/testdom.talps/scripts read
only = No
> >>>>>> The only way to set password policies for the
domain, still
> >>>>>> seems to be through samba-tool domain
passwordsettings and the
> >>>>>> parameter "apply group policies" has got
no effect at all.
> >>>>>> If I create a gpresult.html file on a Windows
member PC, it
> >>>>>> shows the settings I have set with the Windows
Group Policy
> >>>>>> Management Editor (GPME), but when setting a
password for a
> >>>>>> user in Active Directory Users and Computers, the
settings are
> >>>>>> not honored. In GPME there is also the folder
Samba\smb.conf,
> >>>>>> where the different password policy parameters can
be set. No
> >>>>>> effect at all. In practice, this is not a big
deal. You
> >>>>>> probably set the domain password policies once,
and forget
> >>>>>> about it. I'm not going to waste more time on
this. Just use
> >>>>>> samba-tool domain passwordsettings for setting
password
> >>>>>> policies, and forget about GPMC.
> >>>>> I would also note that the even better password
polices - fine
> >>>>> grained password policies - (password setting objects)
were
> >>>>> never available via GPMC and were always directly set
to the
> >>>>> directory. We have good tooling for that in
samba-tool, plus
> >>>>> whatever windows uses would edit the same LDAP
attributes.
> >>>>> Andrew Bartlett
> >>>>>
> >>>> Hi Andrew,
> >>>>
> >>>> Thanks for the information. In my setting, standard
password
> >>>> policies are sufficient.
> >>>>
> >>>> Is it possible to set password policies at all using GPMC
from
> >>>> RSAT? I did not succeed, as I wrote. It's not an
important issue,
> >>>> however it would have been nice to be able to use one tool
for
> >>>> everything. In a small setting like mine (about 40 users),
I just
> >>>> set it once with samba-tool, and that's it. I would be
very
> >>>> surprised if the need ever arises to change something
there. I
> >>>> would sooner expect that there will be requirements for
other
> >>>> types of authentication that are more secure in the not so
far
> >>>> future.
> >>>>
> >>>> Best regards,
> >>>>
> >>>> Peter
> >>>>
> >>>>
> >>> This got my interest, so I did a little testing from a win10
VM
> >>> and (for myself) GPME works up to a point.
> >>>
> >>> I followed David Mulder's instructions, though there were
a few
> >>> errors, I could easily set things in the GPME, but they
didn't
> >>> seem to affect AD. I turned of password complexity and set min
> >>> password length to 8, this was not reflected in AD.
> >>> I then wondered if it was altering sysvol, so I checked and:
> >>>
> >>> sudo
> >>> cat
/var/lib/samba/sysvol/samdom.example.com/Policies/'{31B2F340-016D-11D2-945F-00C04FB984F9}'/MACHINE/Microsoft/'Windows
> >>> NT'/SecEdit/GptTmpl.inf ??[Unicode] Unicode=yes
> >>> [Version]
> >>> signature="$CHICAGO$"
> >>> Revision=1
> >>> [System Access]
> >>> MinimumPasswordLength = 8
> >>> PasswordComplexity = 0
> >>> [Registry Values]
> >>>
> >>> And when I turned password complexity back on through GPME:
> >>>
> >>> ??[Unicode]
> >>> Unicode=yes
> >>> [Version]
> >>> signature="$CHICAGO$"
> >>> Revision=1
> >>> [System Access]
> >>> MinimumPasswordLength = 8
> >>> PasswordComplexity = 1
> >>> [Registry Values]
> >>>
> >>> So it looks like it is halfway there, it is creating the GPO
in
> >>> sysvol. I ran samba-gpupdate, but it either does nothing or
> >>> crashes.
> >>>
> >>> Rowland
> >>>
> >> Hi Rowland,
> >>
> >> I set the parameter "apply group policies = yes" in
smb.conf as
> >> Andrew suggested (I even tried in GPME/Administrative
> >> templats/Samba/smb.conf). Then I set password policies through
> >> GPME. Every time I do something in GPMC/GPME, it seems that the
> >> permissions under sysvol become disturbed (using samba-tool ntacl
> >> sysvolcheck), but was fixed by a sysvolreset (this is another
> >> matter). Subsequently, I checked up the entries in GPME, and they
> >> were exactly as I had set them with GPME. Running a GPRESULT in
> >> Windows showed that policies set with GPME were applied. Running
> >> "samba-tool domain passwordsettings show", does not
reflect
> >> anything set with GPME.gpo_version Testing by adding a new user to
> >> AD, confirms that the samba-tool settings are those that get
> >> applied, not what I set with GPME. A bit weird.
> >>
> >> Presently, the problem is more of an academic nature. I can live
> >> with that, as it's more like set and forget. I may have forgot
> >> something essential, but I don't think so. I guess this needs
a
> >> bit more work in the code. Nothing high priority, I guess, as
it's
> >> not a show stopper. But it should be duly noted in the Wiki.
> >>
> >> Best regards,
> >>
> >> Peter
> > The problem is, from my point of view, David Mulder created a
> > document about Samba and GPOs, part of which seems to suggest that,
> > at some time, setting password attributes with GPME worked, well, I
> > cannot get to work now.
> >
> > After reading the code for gpclass.py, it looks like the python code
> > looks for 'version' in a cache file, this cache file is empty,
> > probably because the domain controllers GPO is an empty GPO when
> > first created. This does lead to a question, AD GPOs are stored on
> > disk in sysvol and also in AD, so why does Samba require yet another
> > copy in a cache ?
> >
> > If I change the output of 'gpo_version' from gpclass.py to
return an
> > integer, samba-gpupdate no longer crashes, it still doesn't work,
> > but it no longer crashes.
> >
> > Rowland
> >
> >
> >
> Hi Rowland,
>
> I would like to have Andrew's comments about this (and if possible,
> also from David Mulder). Obviously, it does not work.
Hi Peter,
I think we need to hear from David, he has done some amazing work on
Samba and GPOs, including creating the document I linked to. That
document seems to indicate that modifying the default Domain
Controllers Policy did, at sometime, work, as You and I know, it
doesn't now.
>
> I don't get any errors at all, no crashes, nothing in the journal,
> nor in the Samba logs (Debian Bookworm 12.1, Samba 4.18.6 from
> bookworm-backports).
If I try to alter the default Domain Controllers policy via GPME,
whilst GPME shows and retains the changes, nothing changes in AD.
There are changes in sysvol, but these changes seem to require that
sysvolreset is run. If I then run samba-gpupdate, I get this:
Traceback (most recent call last):
File "/usr/sbin/samba-gpupdate", line 133, in <module>
apply_gp(lp, creds, store, gp_extensions, username,
File "/usr/lib/python3/dist-packages/samba/gp/gpclass.py", line 481,
in apply_gp
version = gpo_version(lp, path)
File "/usr/lib/python3/dist-packages/samba/gp/gpclass.py", line 431,
in gpo_version
return int(gpo.gpo_get_sysvol_gpt_version(gpt_path)[1])
samba.NTSTATUSError: (3221225700, 'This error indicates that the requested
operation cannot be completed due to a catastrophic media failure or an on-disk
data structure corruption.')
I traced this (or so I believe) to the python program trying to read
from an empty cache.
>
> I'm not particularly at home in python programming, and have got
> nothing to add here. But I love to tinker with things that do not
> work. At the moment however, I'm quite time constrained, otherwise
> I'd give it a shot...
I know a little bit about python (not an expert by any means) but for
reasons I will not go into here, I will not attempt to fix this.
Rowland