samba - Sep 2023 - Domain password policy with Samba AD DC

On 06.09.2023 18:59, David Mulder via samba wrote:
> So, now I'm confused. This output shows it working exactly as intended.
>
> The rsop shows that you set the following policy on the sysvol:
>
>> samba-gpupdate --rsop --target=Computer
>>
>> Resultant Set of Policy
>> Computer Policy
>>
>> GPO: Default Domain Policy
>>
================================================================================================================================
>>
>> ? CSE: gp_access_ext
>> ----------------------------------------------------------------
>> ??? Policy Type: System Access
>> ----------------------------------------------------------------
>> ??? [ MinimumPasswordAge ] =???????? 0
>> ??? [ MaximumPasswordAge ] =???????? -1
>> ??? [ MinimumPasswordLength ] =???????? 6
>> ----------------------------------------------------------------
>> ----------------------------------------------------------------
> And forcing the policy to apply shows that it clearly (well, maybe not 
> so clearly) did what you asked it to do:
>> samba-gpupdate -d5 --force --target=Computer
>>
>> DSDB Change [Modify] at [Wed, 06 Sep 2023 18:40:28.046297 CEST] 
>> status [Success] remote host [Unknown] SID [S-1-5-18] DN 
>> [DC=testdom,DC=talps] attributes [replace: minPwdAge [0]]
>> {"timestamp": "2023-09-06T18:40:28.046428+0200",
"type":
>> "dsdbChange", "dsdbChange": {"version":
{"major": 1, "minor": 0},
>> "statusCode": 0, "status": "Success",
"operation": "Modify",
>> "remoteAddress": null, "performedAsSystem": false,
"userSid":
>> "S-1-5-18", "dn": "DC=testdom,DC=talps",
"transactionId":
>> "66a336b7-9d1d-4dc1-aa64-5c0363dc0d49",
"sessionId":
>> "ef55011d-425b-4687-b6f9-f929bfc5eb29",
"attributes": {"minPwdAge":
>> {"actions": [{"action": "replace",
"values": [{"value": "0"}]}]}}}}
>>
>> DSDB Change [Modify] at [Wed, 06 Sep 2023 18:40:28.052847 CEST] 
>> status [Success] remote host [Unknown] SID [S-1-5-18] DN 
>> [DC=testdom,DC=talps] attributes [replace: maxPwdAge [864000000000]]
>> {"timestamp": "2023-09-06T18:40:28.052922+0200",
"type":
>> "dsdbChange", "dsdbChange": {"version":
{"major": 1, "minor": 0},
>> "statusCode": 0, "status": "Success",
"operation": "Modify",
>> "remoteAddress": null, "performedAsSystem": false,
"userSid":
>> "S-1-5-18", "dn": "DC=testdom,DC=talps",
"transactionId":
>> "e51e13d3-0922-4142-a5a5-a115ed7e5183",
"sessionId":
>> "ef55011d-425b-4687-b6f9-f929bfc5eb29",
"attributes": {"maxPwdAge":
>> {"actions": [{"action": "replace",
"values": [{"value":
>> "864000000000"}]}]}}}}
>>
>> DSDB Change [Modify] at [Wed, 06 Sep 2023 18:40:28.058667 CEST] 
>> status [Success] remote host [Unknown] SID [S-1-5-18] DN 
>> [DC=testdom,DC=talps] attributes [replace: minPwdLength [6]]
>> {"timestamp": "2023-09-06T18:40:28.058717+0200",
"type":
>> "dsdbChange", "dsdbChange": {"version":
{"major": 1, "minor": 0},
>> "statusCode": 0, "status": "Success",
"operation": "Modify",
>> "remoteAddress": null, "performedAsSystem": false,
"userSid":
>> "S-1-5-18", "dn": "DC=testdom,DC=talps",
"transactionId":
>> "86efea8f-c624-455d-a7c8-2fd519389f73",
"sessionId":
>> "ef55011d-425b-4687-b6f9-f929bfc5eb29",
"attributes":
>> {"minPwdLength": {"actions": [{"action":
"replace", "values":
>> [{"value": "6"}]}]}}}}
>>
> Note the `replace: minPwdAge [0]`, `replace: maxPwdAge [864000000000]` 
> (-1), and `replace: minPwdLength [6]`.
>
> This is working as intended, as far as I can tell. So, what's the 
> problem that I'm not understanding?
>
Hi David,

I'm also confused.

In your first post you wrote "You need to make sure you set the password 
policy on the `Default Domain Controller Policy`."

Unfortunately I cannot supply screen dumps, as access is via X2Go to my 
office Linux workstation, and then via RDP to the Windows 10 PC.

With GPME I set Default Domain Controllers Policy:

Enforce password history: 0
Maximum password age: 0
Minimum password age: 0
Minimum password length: 5


What shows up are the settings for Default Domain Policy, where was set 
(from previous tests):

Enforce password history: Not Defined
Maximum password age: 0
Minimum password age: 0
Minimum password length: 6

However, neither of those have got any effect whatsoever. What gets 
applied are the settings made with samba-tool domain passwordsettings on 
the DC. In those, minimum password length = 4. I can without problems 
set a password with the length 4 for any domain user, and I expected 
something else (minimum length of 5 or 6), depending on which GPO gets 
applied. Running a gpresult /scope Computer on the Windows 10 PC, shows 
that the Default Domain Policy gets applied (with minimum password 
length 6).

When setting password for a user through Domain Users and Computers, I'm 
not allowed to set a password with less than 4 characters. 4 is OK, but 
3 is not (consistent with what is set through samba-tool).

The conclusion is, something does not work as expected. Either there is 
a bug in Samba 4.18.6, or I've got something wrong on my DC.

Tomorrow I will check what happens when I try to change password as a 
user on the physical Windows PC.

Thanks for the suggestions so far.

Best regards,

Peter

On 9/6/23 20:30, Peter Milesson via samba wrote:
>
>
> On 06.09.2023 18:59, David Mulder via samba wrote:
>> So, now I'm confused. This output shows it working exactly as
intended.
>>
>> The rsop shows that you set the following policy on the sysvol:
>>
>>> samba-gpupdate --rsop --target=Computer
>>>
>>> Resultant Set of Policy
>>> Computer Policy
>>>
>>> GPO: Default Domain Policy
>>>
================================================================================================================================
>>>
>>> ? CSE: gp_access_ext
>>> ----------------------------------------------------------------
>>> ??? Policy Type: System Access
>>> ----------------------------------------------------------------
>>> ??? [ MinimumPasswordAge ] =???????? 0
>>> ??? [ MaximumPasswordAge ] =???????? -1
>>> ??? [ MinimumPasswordLength ] =???????? 6
>>> ----------------------------------------------------------------
>>> ----------------------------------------------------------------
>> And forcing the policy to apply shows that it clearly (well, maybe 
>> not so clearly) did what you asked it to do:
>>> samba-gpupdate -d5 --force --target=Computer
>>>
>>> DSDB Change [Modify] at [Wed, 06 Sep 2023 18:40:28.046297 CEST] 
>>> status [Success] remote host [Unknown] SID [S-1-5-18] DN 
>>> [DC=testdom,DC=talps] attributes [replace: minPwdAge [0]]
>>> {"timestamp":
"2023-09-06T18:40:28.046428+0200", "type":
>>> "dsdbChange", "dsdbChange":
{"version": {"major": 1, "minor": 0},
>>> "statusCode": 0, "status": "Success",
"operation": "Modify",
>>> "remoteAddress": null, "performedAsSystem":
false, "userSid":
>>> "S-1-5-18", "dn":
"DC=testdom,DC=talps", "transactionId":
>>> "66a336b7-9d1d-4dc1-aa64-5c0363dc0d49",
"sessionId":
>>> "ef55011d-425b-4687-b6f9-f929bfc5eb29",
"attributes": {"minPwdAge":
>>> {"actions": [{"action": "replace",
"values": [{"value": "0"}]}]}}}}
>>>
>>> DSDB Change [Modify] at [Wed, 06 Sep 2023 18:40:28.052847 CEST] 
>>> status [Success] remote host [Unknown] SID [S-1-5-18] DN 
>>> [DC=testdom,DC=talps] attributes [replace: maxPwdAge
[864000000000]]
>>> {"timestamp":
"2023-09-06T18:40:28.052922+0200", "type":
>>> "dsdbChange", "dsdbChange":
{"version": {"major": 1, "minor": 0},
>>> "statusCode": 0, "status": "Success",
"operation": "Modify",
>>> "remoteAddress": null, "performedAsSystem":
false, "userSid":
>>> "S-1-5-18", "dn":
"DC=testdom,DC=talps", "transactionId":
>>> "e51e13d3-0922-4142-a5a5-a115ed7e5183",
"sessionId":
>>> "ef55011d-425b-4687-b6f9-f929bfc5eb29",
"attributes": {"maxPwdAge":
>>> {"actions": [{"action": "replace",
"values": [{"value":
>>> "864000000000"}]}]}}}}
>>>
>>> DSDB Change [Modify] at [Wed, 06 Sep 2023 18:40:28.058667 CEST] 
>>> status [Success] remote host [Unknown] SID [S-1-5-18] DN 
>>> [DC=testdom,DC=talps] attributes [replace: minPwdLength [6]]
>>> {"timestamp":
"2023-09-06T18:40:28.058717+0200", "type":
>>> "dsdbChange", "dsdbChange":
{"version": {"major": 1, "minor": 0},
>>> "statusCode": 0, "status": "Success",
"operation": "Modify",
>>> "remoteAddress": null, "performedAsSystem":
false, "userSid":
>>> "S-1-5-18", "dn":
"DC=testdom,DC=talps", "transactionId":
>>> "86efea8f-c624-455d-a7c8-2fd519389f73",
"sessionId":
>>> "ef55011d-425b-4687-b6f9-f929bfc5eb29",
"attributes":
>>> {"minPwdLength": {"actions":
[{"action": "replace", "values":
>>> [{"value": "6"}]}]}}}}
>>>
>> Note the `replace: minPwdAge [0]`, `replace: maxPwdAge 
>> [864000000000]` (-1), and `replace: minPwdLength [6]`.
>>
>> This is working as intended, as far as I can tell. So, what's the 
>> problem that I'm not understanding?
>>
> Hi David,
>
> I'm also confused.
>
> In your first post you wrote "You need to make sure you set the 
> password policy on the `Default Domain Controller Policy`."
>
> Unfortunately I cannot supply screen dumps, as access is via X2Go to 
> my office Linux workstation, and then via RDP to the Windows 10 PC.
>
> With GPME I set Default Domain Controllers Policy:
>
> Enforce password history: 0
> Maximum password age: 0
> Minimum password age: 0
> Minimum password length: 5
>
>
> What shows up are the settings for Default Domain Policy, where was 
> set (from previous tests):
>
> Enforce password history: Not Defined
> Maximum password age: 0
> Minimum password age: 0
> Minimum password length: 6
>
> However, neither of those have got any effect whatsoever. What gets 
> applied are the settings made with samba-tool domain passwordsettings 
> on the DC. In those, minimum password length = 4. I can without 
> problems set a password with the length 4 for any domain user, and I 
> expected something else (minimum length of 5 or 6), depending on which 
> GPO gets applied. Running a gpresult /scope Computer on the Windows 10 
> PC, shows that the Default Domain Policy gets applied (with minimum 
> password length 6).
>
> When setting password for a user through Domain Users and Computers, 
> I'm not allowed to set a password with less than 4 characters. 4 is 
> OK, but 3 is not (consistent with what is set through samba-tool).
>
> The conclusion is, something does not work as expected. Either there 
> is a bug in Samba 4.18.6, or I've got something wrong on my DC.
>
> Tomorrow I will check what happens when I try to change password as a 
> user on the physical Windows PC.
>
> Thanks for the suggestions so far.
>
> Best regards,
>
> Peter
>
>
Hi David,

Now, things seem to clear a bit.

Yesterday, I could still set passwords with length = 4 characters. When 
letting everything "mature" overnight, the Default Domain Policy seems
to apply. Now, a minimum of 6 characters are required, and when I run 
samba-tool domain passwordsettings, the parameter Minimum password 
length = 6.

Everything seems to be working, except for the fact, that gpupdate 
/force in Windows does not immediately update the GPOs. If I run 
samba-gpupdate --force, the altered GPO takes effect immediately, however.

So to summarize using GPME to update the GPO controlling password policies:

  *

    Add apply group policies = yes in smb.conf (restart samba-ad-dc service)

  *

    Log in as TESTDOM\\Administrator to a domain Windows PC with RSAT
    tools installed

  *

    Edit the GPO Default Domain Policy/Computer
    Configuration/Policies/Windows Settings/Security Settings/Account
    Policies/Password Policy with GPME and close the GPME and GPMC

  *

    (Don't bother running gpupdate /force in Windows, it's got no effect
    anyway)

  *

    If you want the changed GPO to take effekt immediately, run
    samba-gpupdate --force on the DC, otherwise wait anything from 90 -
    120 minutes.

Thanks for you help David!

Best regards,

Peter