thr3ads.net - samba - [Samba] PSO applied directly to user, but pso show-user reports "No PSO applies" on Samba AD 4.19 [Nov 2025]

If this information is useful, please help other people find it:
Share via:

Carlo

2025-Nov-27 11:09 UTC

[Samba] PSO applied directly to user, but pso show-user reports "No PSO applies" on Samba AD 4.19

Hello everyone,

I am experiencing an issue with Password Settings Objects (PSO) on a 
Samba AD DC running version *4.19*.

I created a PSO and applied it directly to a user using:

|samba-tool domain passwordsettings pso apply pso_domain_admins test |

The LDAP attribute *msDS-PSOApplied* is correctly set on the user:

|dn: CN=test,OU=Amministratori,OU=Economics,DC=dma,DC=loc 
msDS-PSOApplied: CN=pso_domain_admins,CN=Password Settings 
Container,CN=System,DC=dma,DC=loc |

However, running:

|samba-tool domain passwordsettings pso show-user test |

always returns:

|No PSO applies to user 'test'. The default domain settings apply. |

This happens even though the PSO is clearly linked to the user in LDAP.

Additional details:

  *

    The PSO has precedence *1*.

  *

    The PSO is valid and correctly defined.

  *

    The user is not in any built-in groups (no Domain Admins, etc.).

  *

    The PSO is also ignored when applied through a Security Global group.

  *

    No errors appear with |samba-tool -d5|.

  *

    It looks like |msDS-ResultantPSO| is not being calculated or used
    correctly.

My question is:

*What's the problem?*

*Is this a known issue in Samba 4.19?*

*Is there any fix or patch for PSO evaluation, or should I open a bug 
report?*

Any help or confirmation would be greatly appreciated.

Thank you,
/Carlo/

samba - Nov 2025 - PSO applied directly to user, but pso show-user reports "No PSO applies" on Samba AD 4.19

[Samba] PSO applied directly to user, but pso show-user reports "No PSO applies" on Samba AD 4.19