similar to: Time synchronization and Password Policies

You guys mix to things. > AFAIK is the 'privileges' that are host-specific. Is correct. >the policies are on the domain (in the LDAP data, > the root DN, look at them!). Yes, but only the GPO policies and these are not applied to the samba server. And because of that, samba-tools password settings needs to be set on every DC. Greetz, Louis > -----Oorspronkelijk

Ahem, again revising docs... I've not found a place where there's a ist of policy applied if i set: apply group policies = yes There's something like that? they are exactly the policy in: samba-tool domain passwordsettings show Thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia''

Mandi! L.P.H. van Belle via samba In chel di` si favelave... > Did you run the command to disable the password check or complexabilty on all you DC's? Oh, never minded about that. Sure. Instead of commenting 'check password script' i can do: samba-tool domain passwordsettings set --complexity=off sure! Thanks! But, why you say «on all you DC's»? The password policies

Hi, is there a way to force password complexity on NT4 style domains? the "samba-tool domain passwordsettings" seems to only work on DC mode, right? Boris

Mandi! Rowland Penny via samba In chel di` si favelave... > The password settings are related to the DC and by default you cannot > set or change a password if it isn't complex enough Ok. >, you do not need to use an external script. Ahem, someone out there need it. ;-) This mean that, if i keep a 'check password script', i could also hit some trubles on, eg,

Mandi! Rowland Penny via samba In chel di` si favelave... > samba-tool domain passwordsettings set --complexity=off Ahem, i've typed '--comploxity'... sorry... OK, option is available in samba-tool in 4.2, but does not seems to work: root at lupus:~# samba-tool domain passwordsettings set --complexity=off Password complexity deactivated! All changes applied successfully!

Thanks for the help, however I don't think your suggestion applies in my case. On a fresh install of Samba 4.7.4 AD you cannot change a user password on a logged in PC through cntl-alt-del -> ChangePassword because the default MinAge is 1 days. I had to use the "samba-tool domain passwordsettings set --min-pwd-age=0" command to make the logged-on style of password change

AFAI've understood 'samba-tool domain passwordsettings' set domain password settings, while the GPO equivalent settings is for the client (windows client and server os). Currently i've enabled password complexity checks server side: root at vdcsv1:~# samba-tool domain passwordsettings show Password informations for domain 'DC=ad,DC=fvg,DC=lnf,DC=it' Password

Make a note: it is better to disable 'check password script' in the DC(s) before trying to join a new DC. ;( root at vdcpp1:~# samba-tool domain join ad.my.dom DC -U"MYDOM\administrator" --dns-backend=BIND9_DLZ Finding a writeable DC for domain 'ad.my.dom' Found DC vdcsv1.ad.my.dom Password for [MYDOM\administrator]: workgroup is MYDOM realm is ad.my.dom Adding

In Samba/NT i was used to share mapping done in netlogon script, so users move around between sites, get home and profile from remote location but still have share mapped from local servers. In Samba/AD, using GPO, share mapping is in ''user policy'', and so user roam between sites and get different policies? I'm googling around but i'm a bit confused... i can still use

Hai, > > Hi Louis, I think you missed this: current configuration > (Samba, NT mode) > > But I think you are on the right lines, using the same drive letters > for both sites is asking for trouble. No, thats ok and should work, since i do that also but in AD dom, and you may not use persistant drives and you disconnect them at logoff. > > However the bigger

Mandi! Marc Muehlfeld via samba In chel di` si favelave... [in the meantime, moved to 4.5...] > > Ahem, i've typed '--comploxity'... sorry... OK, option is available in > > samba-tool in 4.2, but does not seems to work: > This just turns off the need of complex passwords, but there are more > settings, such as minimum length, number of previous passwords not >

I'm trying to play with 'check password script' in AD mode, and seems to me that are simply ignored, at least when users logged on windows clients and (try to) change the password. I've also noted if i use other tools (eg, samba-tool for example) 'check password script' get executed. I've looked around, and seems that 'check password script' came back in 4.5,

I'm doing some test moving from a NT domain to ad AD domain, using debian jessie samba (4.2) and obviously the 'classicupgrade' procedure. In my setup i use(d) extensively some script to reset password to users. I was (ab)used to have 'smbpasswd' behave differently if executed by root, eg change the password without taking in consideration password policy and check password

Hi, I've joined samba DC to existing windows domain using: samba-tool domain join ***.** DC -U"***\admin" --dns-backend=BIND9_DLZ It has stopped on Adding DNS account CN=dns-DC... with the below error. ERROR(runtime): uncaught exception - (-1073741716, 'SetUserInfo2 level 26 for [dns-DC] failed: NT_STATUS_PASSWORD_RESTRICTION') when the BIND9_DLZ is not specified

On 11/21/2017 4:34 AM, lists via samba wrote: > Hi, > > On 21-11-2017 4:40, Anantha Raghava via samba wrote: >> >> /*Password Policies*/ >> >> Password policies are not getting enforced on the clients. Initially >> we thought that we have to set those policies using "samba-tool user >> passwordsettings" and not on Windows GPO. As this was

I'm using samba 4.5 on a debian jessie (Louis packages). Rarely it happen that a power outgage tear down all the stuff, here. I've noticed that if the DM start before the DC, clearly all account data are inaccessible. To prevent or minimize that, the ''offline mode'' of winbind can be safely used also on DM servers? Or is tailoread against roaming client (portables,

Reding the thread in list about gluster, i've found that in your samba packages 4.5.12+dfsg-2+deb9u2~bpo8+1 there's no vfs_glusterfs module, only the manpage. root at vdmsv1:~# grep glusterfs /var/lib/dpkg/info/samba*.list /var/lib/dpkg/info/samba-vfs-modules.list:/usr/share/man/man8/vfs_glusterfs.8.gz root at vdmsv1:~# grep /vfs/ /var/lib/dpkg/info/samba*.list

Reading here i've understod that for LDAP query it is better to use SAMAccountName as 'login', but today i've found: https://docs.microsoft.com/it-it/windows/desktop/ADSchema/a-samaccountname so, 'SAMAccountName' is a compatibility field with NT mode, limited to 20 chars. Someone here use 21 chars logins? ;-) -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66

Mandi! Rowland Penny via samba In chel di` si favelave... > > But my question really is: why this policy apply, if i've not enabled > > in GPO? > Probably because GPOs have no effect on a Samba AD DC, they will only > effect Windows clients. Rowland, i'm speaking about windows clients, not samba servers! I've enabled 'complexity checks' in samba servers,