thr3ads.net - samba - [Samba] Domain password policy with Samba AD DC [Sep 2023]

If this information is useful, please help other people find it:
Share via:

Peter Milesson

2023-Sep-06 16:46 UTC

[Samba] Domain password policy with Samba AD DC

On 06.09.2023 18:26, David Mulder via samba wrote:>
> On 9/6/23 10:19 AM, Peter Milesson via samba wrote:
>>
>> I just tested according to your instruction.
>>
>> Logging in as Administrator at testdom.talps and setting password 
>> policies with GPME on Default Domain Controller Policies 
>> (specifically minimum password length = 5). Then through a cmd prompt 
>> with raised privileges gpupdate /force. Log out. Restart Samba AD DC. 
>> Running a sysvolcheck with no errors.
>>
>> Does still not work. It's still the settings made with samba-tool 
>> domain passwordsettings (minimum password length = 4) that decides 
>> the password policies.
>>
>> I have also tried setting password policies on Default Domain 
>> Policies. No juice.
>>
>> What I get from samba-tool domain passwordpolicies show is:
>>
>> Password information for domain 'DC=testdom,DC=talps'
>>
>> Password complexity: on
>> Store plaintext passwords: off
>> Password history length: 0
>> Minimum password length: 4
>> Minimum password age (days): 0
>> Maximum password age (days): 0
>> Account lockout duration (mins): 30
>> Account lockout threshold (attempts): 0
>> Reset account lockout after (mins): 30
>>
>>
>> My smb.conf
>>
>> # Global parameters
>> [global]
>> ??????? dns forwarder = xxx.xxx.xxx.xxx
>> ??????? netbios name = TESTADC1
>> ??????? realm = TESTDOM.TALPS
>> ??????? server role = active directory domain controller
>> ??????? workgroup = TESTDOM
>> ??????? idmap_ldb:use rfc2307 = yes
>> ??????? apply group policies = yes
>>
>> [sysvol]
>> ??????? path = /var/lib/samba/sysvol
>> ??????? read only = No
>>
>> [netlogon]
>> ??????? path = /var/lib/samba/sysvol/testdom.talps/scripts
>> ??????? read only = No
>>
>> As I previously stated, it's just a nuisance, you probably set 
>> password policies once, or very seldom. It would be nice if it worked 
>> as in a Windows AD DC.
>>
>>
> What's the output of these commends?
>
> sudo samba-gpupdate --rsop --target=Computer
>
> sudo samba-gpupdate -d5 --force --target=Computer
>Hi David,

Please, see below.

Best regards,

Peter

samba-gpupdate --rsop --target=Computer

Resultant Set of Policy
Computer Policy

GPO: Default Domain Policy
===============================================================================================================================
? CSE: gp_access_ext
 ? ----------------------------------------------------------------
 ??? Policy Type: System Access
 ??? ----------------------------------------------------------------
 ??? [ MinimumPasswordAge ] =???????? 0
 ??? [ MaximumPasswordAge ] =???????? -1
 ??? [ MinimumPasswordLength ] =???????? 6
 ??? ----------------------------------------------------------------
 ? ----------------------------------------------------------------
 ? CSE: gp_krb_ext
 ? ----------------------------------------------------------------
 ? ----------------------------------------------------------------
 ? CSE: gp_scripts_ext
 ? ----------------------------------------------------------------
 ? ----------------------------------------------------------------
 ? CSE: gp_sudoers_ext
 ? ----------------------------------------------------------------
 ? ----------------------------------------------------------------
 ? CSE: vgp_sudoers_ext
 ? ----------------------------------------------------------------
 ? ----------------------------------------------------------------
 ? CSE: gp_centrify_sudoers_ext
 ? ----------------------------------------------------------------
 ? ----------------------------------------------------------------
 ? CSE: gp_centrify_crontab_ext
 ? ----------------------------------------------------------------
 ? ----------------------------------------------------------------
 ? CSE: gp_smb_conf_ext
 ? ----------------------------------------------------------------
 ? ----------------------------------------------------------------
 ? CSE: gp_msgs_ext
 ? ----------------------------------------------------------------
 ? ----------------------------------------------------------------
 ? CSE: vgp_symlink_ext
 ? ----------------------------------------------------------------
 ? ----------------------------------------------------------------
 ? CSE: vgp_files_ext
 ? ----------------------------------------------------------------
 ? ----------------------------------------------------------------
 ? CSE: vgp_openssh_ext
 ? ----------------------------------------------------------------
 ? ----------------------------------------------------------------
 ? CSE: vgp_motd_ext
 ? ----------------------------------------------------------------
 ? ----------------------------------------------------------------
 ? CSE: vgp_issue_ext
 ? ----------------------------------------------------------------
 ? ----------------------------------------------------------------
 ? CSE: vgp_startup_scripts_ext
 ? ----------------------------------------------------------------
 ? ----------------------------------------------------------------
 ? CSE: vgp_access_ext
 ? ----------------------------------------------------------------
 ? ----------------------------------------------------------------
 ? CSE: gp_gnome_settings_ext
 ? ----------------------------------------------------------------
 ? ----------------------------------------------------------------
 ? CSE: gp_cert_auto_enroll_ext
 ? ----------------------------------------------------------------
 ? ----------------------------------------------------------------
 ? CSE: gp_firefox_ext
 ? ----------------------------------------------------------------
 ? ----------------------------------------------------------------
 ? CSE: gp_chromium_ext
 ? ----------------------------------------------------------------
 ? ----------------------------------------------------------------
 ? CSE: gp_chrome_ext
 ? ----------------------------------------------------------------
 ? ----------------------------------------------------------------
 ? CSE: gp_firewalld_ext
 ? ----------------------------------------------------------------
 ? ----------------------------------------------------------------

samba-gpupdate -d5 --force --target=Computer

INFO: Current debug levels:
 ? all: 5
 ? tdb: 5
 ? printdrivers: 5
 ? lanman: 5
 ? smb: 5
 ? rpc_parse: 5
 ? rpc_srv: 5
 ? rpc_cli: 5
 ? passdb: 5
 ? sam: 5
 ? auth: 5
 ? winbind: 5
 ? vfs: 5
 ? idmap: 5
 ? quota: 5
 ? acls: 5
 ? locking: 5
 ? msdfs: 5
 ? dmapi: 5
 ? registry: 5
 ? scavenger: 5
 ? dns: 5
 ? ldb: 5
 ? tevent: 5
 ? auth_audit: 5
 ? auth_json_audit: 5
 ? kerberos: 5
 ? drs_repl: 5
 ? smb2: 5
 ? smb2_credits: 5
 ? dsdb_audit: 5
 ? dsdb_json_audit: 5
 ? dsdb_password_audit: 5
 ? dsdb_password_json_audit: 5
 ? dsdb_transaction_audit: 5
 ? dsdb_transaction_json_audit: 5
 ? dsdb_group_audit: 5
 ? dsdb_group_json_audit: 5
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
 ? all: 5
 ? tdb: 5
 ? printdrivers: 5
 ? lanman: 5
 ? smb: 5
 ? rpc_parse: 5
 ? rpc_srv: 5
 ? rpc_cli: 5
 ? passdb: 5
 ? sam: 5
 ? auth: 5
 ? winbind: 5
 ? vfs: 5
 ? idmap: 5
 ? quota: 5
 ? acls: 5
 ? locking: 5
 ? msdfs: 5
 ? dmapi: 5
 ? registry: 5
 ? scavenger: 5
 ? dns: 5
 ? ldb: 5
 ? tevent: 5
 ? auth_audit: 5
 ? auth_json_audit: 5
 ? kerberos: 5
 ? drs_repl: 5
 ? smb2: 5
 ? smb2_credits: 5
 ? dsdb_audit: 5
 ? dsdb_json_audit: 5
 ? dsdb_password_audit: 5
 ? dsdb_password_json_audit: 5
 ? dsdb_transaction_audit: 5
 ? dsdb_transaction_json_audit: 5
 ? dsdb_group_audit: 5
 ? dsdb_group_json_audit: 5
INFO: Current debug levels:
 ? all: 5
 ? tdb: 5
 ? printdrivers: 5
 ? lanman: 5
 ? smb: 5
 ? rpc_parse: 5
 ? rpc_srv: 5
 ? rpc_cli: 5
 ? passdb: 5
 ? sam: 5
 ? auth: 5
 ? winbind: 5
 ? vfs: 5
 ? idmap: 5
 ? quota: 5
 ? acls: 5
 ? locking: 5
 ? msdfs: 5
 ? dmapi: 5
 ? registry: 5
 ? scavenger: 5
 ? dns: 5
 ? ldb: 5
 ? tevent: 5
 ? auth_audit: 5
 ? auth_json_audit: 5
 ? kerberos: 5
 ? drs_repl: 5
 ? smb2: 5
 ? smb2_credits: 5
 ? dsdb_audit: 5
 ? dsdb_json_audit: 5
 ? dsdb_password_audit: 5
 ? dsdb_password_json_audit: 5
 ? dsdb_transaction_audit: 5
 ? dsdb_transaction_json_audit: 5
 ? dsdb_group_audit: 5
 ? dsdb_group_json_audit: 5
Processing section "[global]"
doing parameter dns forwarder = xxx.xxx.xxx.xxx
doing parameter netbios name = TESTADC1
doing parameter realm = TESTDOM.TALPS
doing parameter server role = active directory domain controller
doing parameter workgroup = TESTDOM
doing parameter idmap_ldb:use rfc2307 = yes
doing parameter apply group policies = yes
Processing section "[sysvol]"
doing parameter path = /var/lib/samba/sysvol
doing parameter read only = No
Processing section "[netlogon]"
doing parameter path = /var/lib/samba/sysvol/testdom.talps/scripts
doing parameter read only = No
pm_process() returned Yes
ldb_wrap open of secrets.ldb
lp_load_ex: refreshing parameters
Freeing parametrics:
INFO: Current debug levels:
 ? all: 5
 ? tdb: 5
 ? printdrivers: 5
 ? lanman: 5
 ? smb: 5
 ? rpc_parse: 5
 ? rpc_srv: 5
 ? rpc_cli: 5
 ? passdb: 5
 ? sam: 5
 ? auth: 5
 ? winbind: 5
 ? vfs: 5
 ? idmap: 5
 ? quota: 5
 ? acls: 5
 ? locking: 5
 ? msdfs: 5
 ? dmapi: 5
 ? registry: 5
 ? scavenger: 5
 ? dns: 5
 ? ldb: 5
 ? tevent: 5
 ? auth_audit: 5
 ? auth_json_audit: 5
 ? kerberos: 5
 ? drs_repl: 5
 ? smb2: 5
 ? smb2_credits: 5
 ? dsdb_audit: 5
 ? dsdb_json_audit: 5
 ? dsdb_password_audit: 5
 ? dsdb_password_json_audit: 5
 ? dsdb_transaction_audit: 5
 ? dsdb_transaction_json_audit: 5
 ? dsdb_group_audit: 5
 ? dsdb_group_json_audit: 5
Processing section "[global]"
doing parameter dns forwarder = xxx.xxx.xxx.xxx
doing parameter netbios name = TESTADC1
doing parameter realm = TESTDOM.TALPS
doing parameter server role = active directory domain controller
doing parameter workgroup = TESTDOM
doing parameter idmap_ldb:use rfc2307 = yes
doing parameter apply group policies = yes
Processing section "[sysvol]"
doing parameter path = /var/lib/samba/sysvol
doing parameter read only = No
Processing section "[netlogon]"
doing parameter path = /var/lib/samba/sysvol/testdom.talps/scripts
doing parameter read only = No
pm_process() returned Yes
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'ncalrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
added interface enX0 ip=192.168.22.10 bcast=192.168.22.255 
netmask=255.255.255.0
added interface enX0 ip=192.168.22.10 bcast=192.168.22.255 
netmask=255.255.255.0
added interface enX0 ip=192.168.22.10 bcast=192.168.22.255 
netmask=255.255.255.0
added interface enX0 ip=192.168.22.10 bcast=192.168.22.255 
netmask=255.255.255.0
finddcs: searching for a DC by DNS domain TESTDOM.TALPS
finddcs: looking for SRV records for _ldap._tcp.TESTDOM.TALPS
resolve_lmhosts: Attempting lmhosts lookup for name 
_ldap._tcp.TESTDOM.TALPS<0x0>
startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No 
such file or directory
finddcs: DNS SRV response 0 at '192.168.22.10'
finddcs: performing CLDAP query on 192.168.22.10
finddcs: Found matching DC 192.168.22.10 with server_type=0x000013fd
lp_load_ex: refreshing parameters
Freeing parametrics:
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
 ? all: 5
 ? tdb: 5
 ? printdrivers: 5
 ? lanman: 5
 ? smb: 5
 ? rpc_parse: 5
 ? rpc_srv: 5
 ? rpc_cli: 5
 ? passdb: 5
 ? sam: 5
 ? auth: 5
 ? winbind: 5
 ? vfs: 5
 ? idmap: 5
 ? quota: 5
 ? acls: 5
 ? locking: 5
 ? msdfs: 5
 ? dmapi: 5
 ? registry: 5
 ? scavenger: 5
 ? dns: 5
 ? ldb: 5
 ? tevent: 5
 ? auth_audit: 5
 ? auth_json_audit: 5
 ? kerberos: 5
 ? drs_repl: 5
 ? smb2: 5
 ? smb2_credits: 5
 ? dsdb_audit: 5
 ? dsdb_json_audit: 5
 ? dsdb_password_audit: 5
 ? dsdb_password_json_audit: 5
 ? dsdb_transaction_audit: 5
 ? dsdb_transaction_json_audit: 5
 ? dsdb_group_audit: 5
 ? dsdb_group_json_audit: 5
Processing section "[global]"
doing parameter dns forwarder = xxx.xxx.xxx.xxx
doing parameter netbios name = TESTADC1
doing parameter realm = TESTDOM.TALPS
doing parameter server role = active directory domain controller
doing parameter workgroup = TESTDOM
doing parameter idmap_ldb:use rfc2307 = yes
doing parameter apply group policies = yes
pm_process() returned Yes
Opening cache file at /run/samba/gencache.tdb
sitename_fetch: Returning sitename for realm 'TESTDOM.TALPS': 
"Default-First-Site-Name"
namecache_fetch: name testadc1.testdom.talps#20 found.
ads_try_connect: ads_try_connect: sending CLDAP request to 192.168.22.10 
(realm: TESTDOM.TALPS)
Successfully contacted LDAP server 192.168.22.10
Connecting to 192.168.22.10 at port 389
Connected to LDAP server testadc1.testdom.talps
KDC time offset is 0 seconds
Found SASL mechanism GSS-SPNEGO
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
Search for (objectclass=*) in 
<CN=Administrator,CN=Users,DC=testdom,DC=talps> gave 1 replies
Attempting to register passdb backend smbpasswd
Successfully added passdb backend 'smbpasswd'
Attempting to register passdb backend tdbsam
Successfully added passdb backend 'tdbsam'
Attempting to register passdb backend samba_dsdb
Successfully added passdb backend 'samba_dsdb'
Attempting to register passdb backend samba4
Successfully added passdb backend 'samba4'
Attempting to register passdb backend ldapsam
Successfully added passdb backend 'ldapsam'
Attempting to register passdb backend NDS_ldapsam
Successfully added passdb backend 'NDS_ldapsam'
Attempting to find a passdb backend to match samba_dsdb (samba_dsdb)
Found pdb backend samba_dsdb
schema_fsmo_init: we are master[yes] updates allowed[no]
ldb_wrap open of idmap.ldb
pdb backend samba_dsdb has a valid init
get_privileges: No privileges assigned to SID 
[S-1-5-21-1819986505-3570514717-3911732761-500]
get_privileges: No privileges assigned to SID 
[S-1-5-21-1819986505-3570514717-3911732761-513]
get_privileges: No privileges assigned to SID 
[S-1-5-21-1819986505-3570514717-3911732761-512]
get_privileges: No privileges assigned to SID 
[S-1-5-21-1819986505-3570514717-3911732761-572]
get_privileges: No privileges assigned to SID 
[S-1-5-21-1819986505-3570514717-3911732761-518]
get_privileges: No privileges assigned to SID 
[S-1-5-21-1819986505-3570514717-3911732761-519]
get_privileges: No privileges assigned to SID 
[S-1-5-21-1819986505-3570514717-3911732761-520]
get_privileges: No privileges assigned to SID [S-1-22-2-0]
get_privileges_for_sids: sid = S-1-1-0
Privilege set: 0x0
get_privileges: No privileges assigned to SID [S-1-5-2]
get_privileges: No privileges assigned to SID [S-1-5-11]
get_privileges_for_sids: sid = S-1-5-32-544
Privilege set: 0x1ffffff0
get_privileges: No privileges assigned to SID [S-1-5-32-545]
get_privileges: No privileges assigned to SID [S-1-5-32-554]
Security token SIDs (14):
 ? SID[? 0]: S-1-5-21-1819986505-3570514717-3911732761-500
 ? SID[? 1]: S-1-5-21-1819986505-3570514717-3911732761-513
 ? SID[? 2]: S-1-5-21-1819986505-3570514717-3911732761-512
 ? SID[? 3]: S-1-5-21-1819986505-3570514717-3911732761-572
 ? SID[? 4]: S-1-5-21-1819986505-3570514717-3911732761-518
 ? SID[? 5]: S-1-5-21-1819986505-3570514717-3911732761-519
 ? SID[? 6]: S-1-5-21-1819986505-3570514717-3911732761-520
 ? SID[? 7]: S-1-22-2-0
 ? SID[? 8]: S-1-1-0
 ? SID[? 9]: S-1-5-2
 ? SID[ 10]: S-1-5-11
 ? SID[ 11]: S-1-5-32-544
 ? SID[ 12]: S-1-5-32-545
 ? SID[ 13]: S-1-5-32-554
 ?Privileges (0x??????? 1FFFFFF0):
 ? Privilege[? 0]: SeMachineAccountPrivilege
 ? Privilege[? 1]: SeTakeOwnershipPrivilege
 ? Privilege[? 2]: SeBackupPrivilege
 ? Privilege[? 3]: SeRestorePrivilege
 ? Privilege[? 4]: SeRemoteShutdownPrivilege
 ? Privilege[? 5]: SePrintOperatorPrivilege
 ? Privilege[? 6]: SeAddUsersPrivilege
 ? Privilege[? 7]: SeDiskOperatorPrivilege
 ? Privilege[? 8]: SeSecurityPrivilege
 ? Privilege[? 9]: SeSystemtimePrivilege
 ? Privilege[ 10]: SeShutdownPrivilege
 ? Privilege[ 11]: SeDebugPrivilege
 ? Privilege[ 12]: SeSystemEnvironmentPrivilege
 ? Privilege[ 13]: SeSystemProfilePrivilege
 ? Privilege[ 14]: SeProfileSingleProcessPrivilege
 ? Privilege[ 15]: SeIncreaseBasePriorityPrivilege
 ? Privilege[ 16]: SeLoadDriverPrivilege
 ? Privilege[ 17]: SeCreatePagefilePrivilege
 ? Privilege[ 18]: SeIncreaseQuotaPrivilege
 ? Privilege[ 19]: SeChangeNotifyPrivilege
 ? Privilege[ 20]: SeUndockPrivilege
 ? Privilege[ 21]: SeManageVolumePrivilege
 ? Privilege[ 22]: SeImpersonatePrivilege
 ? Privilege[ 23]: SeCreateGlobalPrivilege
 ? Privilege[ 24]: SeEnableDelegationPrivilege
 ?Rights (0x?????????????? 0):
Search for (objectclass=*) in 
<CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=testdom,DC=talps>
gave 1 replies
Search for (objectclass=*) in 
<cn={C0802200-92F4-4026-A6A3-2721C0E79A47},cn=policies,cn=system,DC=testdom,DC=talps>
gave 1 replies
sitename_fetch: Returning sitename for realm 'TESTDOM.TALPS': 
"Default-First-Site-Name"
namecache_fetch: name testadc1.testdom.talps#20 found.
Connecting to 192.168.22.10 at port 445
socket options: SO_KEEPALIVE=0, SO_REUSEADDR=0, SO_BROADCAST=0, 
TCP_NODELAY=1, TCP_KEEPCNT=9, TCP_KEEPIDLE=7200, TCP_KEEPINTVL=75, 
IPTOS_LOWDELAY=0, IPTOS_THROUGHPUT=0, SO_REUSEPORT=0, SO_SNDBUF=2626560, 
SO_RCVBUF=131072, SO_SNDLOWAT=1, SO_RCVLOWAT=1, SO_SNDTIMEO=0, 
SO_RCVTIMEO=0, TCP_QUICKACK=1, TCP_DEFER_ACCEPT=0, TCP_USER_TIMEOUT=0
cli_session_creds_prepare_krb5: Doing kinit for TESTADC1$@TESTDOM.TALPS 
to access testadc1.testdom.talps
cli_session_setup_spnego_send: Connect to testadc1.testdom.talps as 
TESTADC1$@TESTDOM.TALPS using SPNEGO
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
lpcfg_load: refreshing parameters from /etc/samba/smb.conf
Processing section "[global]"
Processing section "[sysvol]"
Processing section "[netlogon]"
pm_process() returned Yes
schema_fsmo_init: we are master[yes] updates allowed[no]
DSDB Change [Modify] at [Wed, 06 Sep 2023 18:40:28.046297 CEST] status 
[Success] remote host [Unknown] SID [S-1-5-18] DN [DC=testdom,DC=talps] 
attributes [replace: minPwdAge [0]]
{"timestamp": "2023-09-06T18:40:28.046428+0200",
"type": "dsdbChange",
"dsdbChange": {"version": {"major": 1,
"minor": 0}, "statusCode": 0,
"status": "Success", "operation":
"Modify", "remoteAddress": null,
"performedAsSystem": false, "userSid": "S-1-5-18",
"dn":
"DC=testdom,DC=talps", "transactionId": 
"66a336b7-9d1d-4dc1-aa64-5c0363dc0d49", "sessionId": 
"ef55011d-425b-4687-b6f9-f929bfc5eb29", "attributes":
{"minPwdAge":
{"actions": [{"action": "replace",
"values": [{"value": "0"}]}]}}}}
descriptor_prepare_commit: changes: num_registrations=0
descriptor_prepare_commit: changes: num_registered=0
descriptor_prepare_commit: changes: num_toplevel=0
descriptor_prepare_commit: changes: num_processed=0
descriptor_prepare_commit: objects: num_processed=0
descriptor_prepare_commit: objects: num_skipped=0
DSDB Change [Modify] at [Wed, 06 Sep 2023 18:40:28.052847 CEST] status 
[Success] remote host [Unknown] SID [S-1-5-18] DN [DC=testdom,DC=talps] 
attributes [replace: maxPwdAge [864000000000]]
{"timestamp": "2023-09-06T18:40:28.052922+0200",
"type": "dsdbChange",
"dsdbChange": {"version": {"major": 1,
"minor": 0}, "statusCode": 0,
"status": "Success", "operation":
"Modify", "remoteAddress": null,
"performedAsSystem": false, "userSid": "S-1-5-18",
"dn":
"DC=testdom,DC=talps", "transactionId": 
"e51e13d3-0922-4142-a5a5-a115ed7e5183", "sessionId": 
"ef55011d-425b-4687-b6f9-f929bfc5eb29", "attributes":
{"maxPwdAge":
{"actions": [{"action": "replace",
"values": [{"value":
"864000000000"}]}]}}}}
descriptor_prepare_commit: changes: num_registrations=0
descriptor_prepare_commit: changes: num_registered=0
descriptor_prepare_commit: changes: num_toplevel=0
descriptor_prepare_commit: changes: num_processed=0
descriptor_prepare_commit: objects: num_processed=0
descriptor_prepare_commit: objects: num_skipped=0
DSDB Change [Modify] at [Wed, 06 Sep 2023 18:40:28.058667 CEST] status 
[Success] remote host [Unknown] SID [S-1-5-18] DN [DC=testdom,DC=talps] 
attributes [replace: minPwdLength [6]]
{"timestamp": "2023-09-06T18:40:28.058717+0200",
"type": "dsdbChange",
"dsdbChange": {"version": {"major": 1,
"minor": 0}, "statusCode": 0,
"status": "Success", "operation":
"Modify", "remoteAddress": null,
"performedAsSystem": false, "userSid": "S-1-5-18",
"dn":
"DC=testdom,DC=talps", "transactionId": 
"86efea8f-c624-455d-a7c8-2fd519389f73", "sessionId": 
"ef55011d-425b-4687-b6f9-f929bfc5eb29", "attributes":
{"minPwdLength":
{"actions": [{"action": "replace",
"values": [{"value": "6"}]}]}}}}
descriptor_prepare_commit: changes: num_registrations=0
descriptor_prepare_commit: changes: num_registered=0
descriptor_prepare_commit: changes: num_toplevel=0
descriptor_prepare_commit: changes: num_processed=0
descriptor_prepare_commit: objects: num_processed=0
descriptor_prepare_commit: objects: num_skipped=0
2023-09-06 18:40:28.063|[E98506]| Failed to apply extension 
Centrify/CrontabEntries | {}
2023-09-06 18:40:28.063|[E86463]| Message was: NameError: cannot access 
free variable 'cron_dir' where it is not associated with a value in 
enclosing scope | {}

David Mulder

2023-Sep-06 16:59 UTC

head link

[Samba] Domain password policy with Samba AD DC

So, now I'm confused. This output shows it working exactly as intended.

The rsop shows that you set the following policy on the sysvol:
> samba-gpupdate --rsop --target=Computer
>
> Resultant Set of Policy
> Computer Policy
>
> GPO: Default Domain Policy
>
================================================================================================================================
>
> ? CSE: gp_access_ext
> ? ----------------------------------------------------------------
> ??? Policy Type: System Access
> ----------------------------------------------------------------
> ??? [ MinimumPasswordAge ] =???????? 0
> ??? [ MaximumPasswordAge ] =???????? -1
> ??? [ MinimumPasswordLength ] =???????? 6
> ----------------------------------------------------------------
> ? ----------------------------------------------------------------And forcing the policy to apply shows that it clearly (well, maybe not 
so clearly) did what you asked it to do:> samba-gpupdate -d5 --force --target=Computer
>
> DSDB Change [Modify] at [Wed, 06 Sep 2023 18:40:28.046297 CEST] status 
> [Success] remote host [Unknown] SID [S-1-5-18] DN 
> [DC=testdom,DC=talps] attributes [replace: minPwdAge [0]]
> {"timestamp": "2023-09-06T18:40:28.046428+0200",
"type": "dsdbChange",
> "dsdbChange": {"version": {"major": 1,
"minor": 0}, "statusCode": 0,
> "status": "Success", "operation":
"Modify", "remoteAddress": null,
> "performedAsSystem": false, "userSid":
"S-1-5-18", "dn":
> "DC=testdom,DC=talps", "transactionId": 
> "66a336b7-9d1d-4dc1-aa64-5c0363dc0d49", "sessionId": 
> "ef55011d-425b-4687-b6f9-f929bfc5eb29", "attributes":
{"minPwdAge":
> {"actions": [{"action": "replace",
"values": [{"value": "0"}]}]}}}}
>
> DSDB Change [Modify] at [Wed, 06 Sep 2023 18:40:28.052847 CEST] status 
> [Success] remote host [Unknown] SID [S-1-5-18] DN 
> [DC=testdom,DC=talps] attributes [replace: maxPwdAge [864000000000]]
> {"timestamp": "2023-09-06T18:40:28.052922+0200",
"type": "dsdbChange",
> "dsdbChange": {"version": {"major": 1,
"minor": 0}, "statusCode": 0,
> "status": "Success", "operation":
"Modify", "remoteAddress": null,
> "performedAsSystem": false, "userSid":
"S-1-5-18", "dn":
> "DC=testdom,DC=talps", "transactionId": 
> "e51e13d3-0922-4142-a5a5-a115ed7e5183", "sessionId": 
> "ef55011d-425b-4687-b6f9-f929bfc5eb29", "attributes":
{"maxPwdAge":
> {"actions": [{"action": "replace",
"values": [{"value":
> "864000000000"}]}]}}}}
>
> DSDB Change [Modify] at [Wed, 06 Sep 2023 18:40:28.058667 CEST] status 
> [Success] remote host [Unknown] SID [S-1-5-18] DN 
> [DC=testdom,DC=talps] attributes [replace: minPwdLength [6]]
> {"timestamp": "2023-09-06T18:40:28.058717+0200",
"type": "dsdbChange",
> "dsdbChange": {"version": {"major": 1,
"minor": 0}, "statusCode": 0,
> "status": "Success", "operation":
"Modify", "remoteAddress": null,
> "performedAsSystem": false, "userSid":
"S-1-5-18", "dn":
> "DC=testdom,DC=talps", "transactionId": 
> "86efea8f-c624-455d-a7c8-2fd519389f73", "sessionId": 
> "ef55011d-425b-4687-b6f9-f929bfc5eb29", "attributes":
{"minPwdLength":
> {"actions": [{"action": "replace",
"values": [{"value": "6"}]}]}}}}
>Note the `replace: minPwdAge [0]`, `replace: maxPwdAge [864000000000]` 
(-1), and `replace: minPwdLength [6]`.

This is working as intended, as far as I can tell. So, what's the 
problem that I'm not understanding?

-- 
David Mulder
Labs Software Engineer, Samba
SUSE
1221 S Valley Grove Way, Suite 500
Pleasant Grove, UT 84062
(P)+1 385.208.2989
dmulder at suse.com
http://www.suse.com

samba - Sep 2023 - Domain password policy with Samba AD DC

[Samba] Domain password policy with Samba AD DC

[Samba] Domain password policy with Samba AD DC