On Wed, 30 Aug 2023 19:47:16 +0200
Peter Milesson via samba <samba at lists.samba.org> wrote:
>
>
> On 30.08.2023 19:17, Rowland Penny via samba wrote:
> > On Wed, 30 Aug 2023 18:56:48 +0200
> > Peter Milesson via samba <samba at lists.samba.org> wrote:
> >
> >>
> >> On 30.08.2023 16:21, Rowland Penny via samba wrote:
> >>> On Wed, 30 Aug 2023 12:40:08 +0200
> >>> Peter Milesson via samba <samba at lists.samba.org>
wrote:
> >>>
> >>>> On 30.08.2023 11:58, Rowland Penny via samba wrote:
> >>>>> On Wed, 30 Aug 2023 09:49:05 +0200
> >>>>> Peter Milesson via samba <samba at
lists.samba.org> wrote:
> >>>>>
> >>>>>> On 29.08.2023 21:38, Andrew Bartlett via samba
wrote:
> >>>>>>> On Tue, 2023-08-29 at 12:58 +0200, Peter
Milesson via samba
> >>>>>>> wrote:
> >>>>>>>> On 27.08.2023 23:45, Andrew Bartlett
wrote:
> >>>>>>>>> On Sat, 2023-08-26 at 11:49 +0200,
Peter Milesson via samba
> >>>>>>>>> wrote:
> >>>>>>>>>> Hi folks,
> >>>>>>>>>> I just wonder why it is not
possible to set domain password
> >>>>>>>>>> policieswith GPO, using the
Windows RSAT Group Policy
> >>>>>>>>>> Manager? For mostothersettings,
using GPOs through RSAT
> >>>>>>>>>> works. For somebody who sets up a
Samba AD DC infrequently,
> >>>>>>>>>> this is a hugetrap. There should
be a very visible warning
> >>>>>>>>>> on the AD DC setup wikipage, that
you *must* setup password
> >>>>>>>>>> policies with samba-tool,
ifyouplan to change the default
> >>>>>>>>>> password policies (which I assume
mostwilldo). It should
> >>>>>>>>>> also be very clearly noted that it
is not possible todothis
> >>>>>>>>>> with RSAT (as lots of people will
try that anyway).
> >>>>>>>>>> Thiswarningshould also be
displayed on the Group Policy
> >>>>>>>>>> wiki page. If there areother GPO
policies that can not be
> >>>>>>>>>> set with RSAT, those should
alsobelisted.
> >>>>>>>>> Thanks Peter for reaching out on this,
> >>>>>>>>> So, the challenge is that in the past,
Samba didn't know how
> >>>>>>>>> to readthese, and the settings were
just ignored.
> >>>>>>>>> Now it can, but given there are now
existing domains, which
> >>>>>>>>> settingshould be primary, the one in
the DB or the one in
> >>>>>>>>> the GPO? That is why the smb.conf
setting "apply group
> >>>>>>>>> policies" needs to be setto Yes
if the GPO approach is to
> >>>>>>>>> be taken. Feel free to ask for a wiki
account to point out
> >>>>>>>>> this if you feel itwould be helpful.
> >>>>>>>>> Andrew Bartlett
> >>>>>>>>>
> >>>>>>>> Hi folks,
> >>>>>>>> I've tried to get password policies
setting using the Windows
> >>>>>>>> GPMC from RSAT working. Unfortunately, no
change. It just
> >>>>>>>> does not work. Here is the smb.conf for
the AD DC:
> >>>>>>>> # Global parameters[global] dns
forwarder > >>>>>>>> 78.110.208.34 netbios name =
TESTADC1 realm > >>>>>>>> TESTDOM.TALPS
server role = active directory domain
> >>>>>>>> controller workgroup = TESTDOM
idmap_ldb:use rfc2307
> >>>>>>>> = yes apply group policies = yes
> >>>>>>>> [sysvol] path =
/var/lib/samba/sysvol read
> >>>>>>>> only = No [netlogon] path
> >>>>>>>> =
/var/lib/samba/sysvol/testdom.talps/scripts read only = No
> >>>>>>>> The only way to set password policies for
the domain, still
> >>>>>>>> seems to be through samba-tool domain
passwordsettings and
> >>>>>>>> the parameter "apply group
policies" has got no effect at
> >>>>>>>> all. If I create a gpresult.html file on a
Windows member
> >>>>>>>> PC, it shows the settings I have set with
the Windows Group
> >>>>>>>> Policy Management Editor (GPME), but when
setting a password
> >>>>>>>> for a user in Active Directory Users and
Computers, the
> >>>>>>>> settings are not honored. In GPME there is
also the folder
> >>>>>>>> Samba\smb.conf, where the different
password policy
> >>>>>>>> parameters can be set. No effect at all.
In practice, this
> >>>>>>>> is not a big deal. You probably set the
domain password
> >>>>>>>> policies once, and forget about it.
I'm not going to waste
> >>>>>>>> more time on this. Just use samba-tool
domain
> >>>>>>>> passwordsettings for setting password
policies, and forget
> >>>>>>>> about GPMC.
> >>>>>>> I would also note that the even better
password polices - fine
> >>>>>>> grained password policies - (password setting
objects) were
> >>>>>>> never available via GPMC and were always
directly set to the
> >>>>>>> directory. We have good tooling for that in
samba-tool, plus
> >>>>>>> whatever windows uses would edit the same LDAP
attributes.
> >>>>>>> Andrew Bartlett
> >>>>>>>
> >>>>>> Hi Andrew,
> >>>>>>
> >>>>>> Thanks for the information. In my setting,
standard password
> >>>>>> policies are sufficient.
> >>>>>>
> >>>>>> Is it possible to set password policies at all
using GPMC from
> >>>>>> RSAT? I did not succeed, as I wrote. It's not
an important
> >>>>>> issue, however it would have been nice to be able
to use one
> >>>>>> tool for everything. In a small setting like mine
(about 40
> >>>>>> users), I just set it once with samba-tool, and
that's it. I
> >>>>>> would be very surprised if the need ever arises to
change
> >>>>>> something there. I would sooner expect that there
will be
> >>>>>> requirements for other types of authentication
that are more
> >>>>>> secure in the not so far future.
> >>>>>>
> >>>>>> Best regards,
> >>>>>>
> >>>>>> Peter
> >>>>>>
> >>>>>>
> >>>>> This got my interest, so I did a little testing from a
win10 VM
> >>>>> and (for myself) GPME works up to a point.
> >>>>>
> >>>>> I followed David Mulder's instructions, though
there were a few
> >>>>> errors, I could easily set things in the GPME, but
they didn't
> >>>>> seem to affect AD. I turned of password complexity and
set min
> >>>>> password length to 8, this was not reflected in AD.
> >>>>> I then wondered if it was altering sysvol, so I
checked and:
> >>>>>
> >>>>> sudo
> >>>>> cat
/var/lib/samba/sysvol/samdom.example.com/Policies/'{31B2F340-016D-11D2-945F-00C04FB984F9}'/MACHINE/Microsoft/'Windows
> >>>>> NT'/SecEdit/GptTmpl.inf ??[Unicode] Unicode=yes
> >>>>> [Version]
> >>>>> signature="$CHICAGO$"
> >>>>> Revision=1
> >>>>> [System Access]
> >>>>> MinimumPasswordLength = 8
> >>>>> PasswordComplexity = 0
> >>>>> [Registry Values]
> >>>>>
> >>>>> And when I turned password complexity back on through
GPME:
> >>>>>
> >>>>> ??[Unicode]
> >>>>> Unicode=yes
> >>>>> [Version]
> >>>>> signature="$CHICAGO$"
> >>>>> Revision=1
> >>>>> [System Access]
> >>>>> MinimumPasswordLength = 8
> >>>>> PasswordComplexity = 1
> >>>>> [Registry Values]
> >>>>>
> >>>>> So it looks like it is halfway there, it is creating
the GPO in
> >>>>> sysvol. I ran samba-gpupdate, but it either does
nothing or
> >>>>> crashes.
> >>>>>
> >>>>> Rowland
> >>>>>
> >>>> Hi Rowland,
> >>>>
> >>>> I set the parameter "apply group policies = yes"
in smb.conf as
> >>>> Andrew suggested (I even tried in GPME/Administrative
> >>>> templats/Samba/smb.conf). Then I set password policies
through
> >>>> GPME. Every time I do something in GPMC/GPME, it seems
that the
> >>>> permissions under sysvol become disturbed (using
samba-tool ntacl
> >>>> sysvolcheck), but was fixed by a sysvolreset (this is
another
> >>>> matter). Subsequently, I checked up the entries in GPME,
and they
> >>>> were exactly as I had set them with GPME. Running a
GPRESULT in
> >>>> Windows showed that policies set with GPME were applied.
Running
> >>>> "samba-tool domain passwordsettings show", does
not reflect
> >>>> anything set with GPME.gpo_version Testing by adding a new
user
> >>>> to AD, confirms that the samba-tool settings are those
that get
> >>>> applied, not what I set with GPME. A bit weird.
> >>>>
> >>>> Presently, the problem is more of an academic nature. I
can live
> >>>> with that, as it's more like set and forget. I may
have forgot
> >>>> something essential, but I don't think so. I guess
this needs a
> >>>> bit more work in the code. Nothing high priority, I guess,
as
> >>>> it's not a show stopper. But it should be duly noted
in the Wiki.
> >>>>
> >>>> Best regards,
> >>>>
> >>>> Peter
> >>> The problem is, from my point of view, David Mulder created a
> >>> document about Samba and GPOs, part of which seems to suggest
> >>> that, at some time, setting password attributes with GPME
worked,
> >>> well, I cannot get to work now.
> >>>
> >>> After reading the code for gpclass.py, it looks like the
python
> >>> code looks for 'version' in a cache file, this cache
file is
> >>> empty, probably because the domain controllers GPO is an empty
> >>> GPO when first created. This does lead to a question, AD GPOs
are
> >>> stored on disk in sysvol and also in AD, so why does Samba
> >>> require yet another copy in a cache ?
> >>>
> >>> If I change the output of 'gpo_version' from
gpclass.py to return
> >>> an integer, samba-gpupdate no longer crashes, it still
doesn't
> >>> work, but it no longer crashes.
> >>>
> >>> Rowland
> >>>
> >>>
> >>>
> >> Hi Rowland,
> >>
> >> I would like to have Andrew's comments about this (and if
possible,
> >> also from David Mulder). Obviously, it does not work.
> > Hi Peter,
> > I think we need to hear from David, he has done some amazing work on
> > Samba and GPOs, including creating the document I linked to. That
> > document seems to indicate that modifying the default Domain
> > Controllers Policy did, at sometime, work, as You and I know, it
> > doesn't now.
> >
> >> I don't get any errors at all, no crashes, nothing in the
journal,
> >> nor in the Samba logs (Debian Bookworm 12.1, Samba 4.18.6 from
> >> bookworm-backports).
> > If I try to alter the default Domain Controllers policy via GPME,
> > whilst GPME shows and retains the changes, nothing changes in AD.
> > There are changes in sysvol, but these changes seem to require that
> > sysvolreset is run. If I then run samba-gpupdate, I get this:
> >
> > Traceback (most recent call last):
> > File "/usr/sbin/samba-gpupdate", line 133, in
<module>
> > apply_gp(lp, creds, store, gp_extensions, username,
> > File
"/usr/lib/python3/dist-packages/samba/gp/gpclass.py", line
> > 481, in apply_gp version = gpo_version(lp, path)
> > File
"/usr/lib/python3/dist-packages/samba/gp/gpclass.py", line
> > 431, in gpo_version return
> > int(gpo.gpo_get_sysvol_gpt_version(gpt_path)[1])
> > samba.NTSTATUSError: (3221225700, 'This error indicates that the
> > requested operation cannot be completed due to a catastrophic media
> > failure or an on-disk data structure corruption.')
> >
> > I traced this (or so I believe) to the python program trying to read
> > from an empty cache.
> >
> >> I'm not particularly at home in python programming, and have
got
> >> nothing to add here. But I love to tinker with things that do not
> >> work. At the moment however, I'm quite time constrained,
otherwise
> >> I'd give it a shot...
> > I know a little bit about python (not an expert by any means) but
> > for reasons I will not go into here, I will not attempt to fix this.
> >
> > Rowland
> >
> >
> Hi Rowland,
>
> That's the same errors I get. Need to run sysvolreset after that. I
> hope that David reads this and chime in.
As do I.
>
> As the problem is not a complete brick wall, nobody knowledgeable
> will give it a very high priority. But, as I pointed out previously,
> it should be mentioned in the Wiki. It could save lots of people
> banging their heads in the said wall, when samba-tool could be used
> to solve the problem quickly and efficiently.
I would update the wiki, but I need to know with just what, did it work
at one time, in which case it is a regression bug, or has it never
worked, despite what David put in his documentation ?
Rowland