On 06.09.2023 18:59, David Mulder via samba wrote:> So, now I'm confused. This output shows it working exactly as intended.
>
> The rsop shows that you set the following policy on the sysvol:
>
>> samba-gpupdate --rsop --target=Computer
>>
>> Resultant Set of Policy
>> Computer Policy
>>
>> GPO: Default Domain Policy
>>
================================================================================================================================
>>
>> ? CSE: gp_access_ext
>> ----------------------------------------------------------------
>> ??? Policy Type: System Access
>> ----------------------------------------------------------------
>> ??? [ MinimumPasswordAge ] =???????? 0
>> ??? [ MaximumPasswordAge ] =???????? -1
>> ??? [ MinimumPasswordLength ] =???????? 6
>> ----------------------------------------------------------------
>> ----------------------------------------------------------------
> And forcing the policy to apply shows that it clearly (well, maybe not
> so clearly) did what you asked it to do:
>> samba-gpupdate -d5 --force --target=Computer
>>
>> DSDB Change [Modify] at [Wed, 06 Sep 2023 18:40:28.046297 CEST]
>> status [Success] remote host [Unknown] SID [S-1-5-18] DN
>> [DC=testdom,DC=talps] attributes [replace: minPwdAge [0]]
>> {"timestamp": "2023-09-06T18:40:28.046428+0200",
"type":
>> "dsdbChange", "dsdbChange": {"version":
{"major": 1, "minor": 0},
>> "statusCode": 0, "status": "Success",
"operation": "Modify",
>> "remoteAddress": null, "performedAsSystem": false,
"userSid":
>> "S-1-5-18", "dn": "DC=testdom,DC=talps",
"transactionId":
>> "66a336b7-9d1d-4dc1-aa64-5c0363dc0d49",
"sessionId":
>> "ef55011d-425b-4687-b6f9-f929bfc5eb29",
"attributes": {"minPwdAge":
>> {"actions": [{"action": "replace",
"values": [{"value": "0"}]}]}}}}
>>
>> DSDB Change [Modify] at [Wed, 06 Sep 2023 18:40:28.052847 CEST]
>> status [Success] remote host [Unknown] SID [S-1-5-18] DN
>> [DC=testdom,DC=talps] attributes [replace: maxPwdAge [864000000000]]
>> {"timestamp": "2023-09-06T18:40:28.052922+0200",
"type":
>> "dsdbChange", "dsdbChange": {"version":
{"major": 1, "minor": 0},
>> "statusCode": 0, "status": "Success",
"operation": "Modify",
>> "remoteAddress": null, "performedAsSystem": false,
"userSid":
>> "S-1-5-18", "dn": "DC=testdom,DC=talps",
"transactionId":
>> "e51e13d3-0922-4142-a5a5-a115ed7e5183",
"sessionId":
>> "ef55011d-425b-4687-b6f9-f929bfc5eb29",
"attributes": {"maxPwdAge":
>> {"actions": [{"action": "replace",
"values": [{"value":
>> "864000000000"}]}]}}}}
>>
>> DSDB Change [Modify] at [Wed, 06 Sep 2023 18:40:28.058667 CEST]
>> status [Success] remote host [Unknown] SID [S-1-5-18] DN
>> [DC=testdom,DC=talps] attributes [replace: minPwdLength [6]]
>> {"timestamp": "2023-09-06T18:40:28.058717+0200",
"type":
>> "dsdbChange", "dsdbChange": {"version":
{"major": 1, "minor": 0},
>> "statusCode": 0, "status": "Success",
"operation": "Modify",
>> "remoteAddress": null, "performedAsSystem": false,
"userSid":
>> "S-1-5-18", "dn": "DC=testdom,DC=talps",
"transactionId":
>> "86efea8f-c624-455d-a7c8-2fd519389f73",
"sessionId":
>> "ef55011d-425b-4687-b6f9-f929bfc5eb29",
"attributes":
>> {"minPwdLength": {"actions": [{"action":
"replace", "values":
>> [{"value": "6"}]}]}}}}
>>
> Note the `replace: minPwdAge [0]`, `replace: maxPwdAge [864000000000]`
> (-1), and `replace: minPwdLength [6]`.
>
> This is working as intended, as far as I can tell. So, what's the
> problem that I'm not understanding?
>
Hi David,
I'm also confused.
In your first post you wrote "You need to make sure you set the password
policy on the `Default Domain Controller Policy`."
Unfortunately I cannot supply screen dumps, as access is via X2Go to my
office Linux workstation, and then via RDP to the Windows 10 PC.
With GPME I set Default Domain Controllers Policy:
Enforce password history: 0
Maximum password age: 0
Minimum password age: 0
Minimum password length: 5
What shows up are the settings for Default Domain Policy, where was set
(from previous tests):
Enforce password history: Not Defined
Maximum password age: 0
Minimum password age: 0
Minimum password length: 6
However, neither of those have got any effect whatsoever. What gets
applied are the settings made with samba-tool domain passwordsettings on
the DC. In those, minimum password length = 4. I can without problems
set a password with the length 4 for any domain user, and I expected
something else (minimum length of 5 or 6), depending on which GPO gets
applied. Running a gpresult /scope Computer on the Windows 10 PC, shows
that the Default Domain Policy gets applied (with minimum password
length 6).
When setting password for a user through Domain Users and Computers, I'm
not allowed to set a password with less than 4 characters. 4 is OK, but
3 is not (consistent with what is set through samba-tool).
The conclusion is, something does not work as expected. Either there is
a bug in Samba 4.18.6, or I've got something wrong on my DC.
Tomorrow I will check what happens when I try to change password as a
user on the physical Windows PC.
Thanks for the suggestions so far.
Best regards,
Peter