similar to: Join DC has failed with error: NT_STATUS_PASSWORD_RESTRICTION

On Mon, 2019-09-23 at 09:25 +0200, Marco Gaiarin via samba wrote: > Mandi! tomek82 via samba > In chel di` si favelave... > > > ERROR(runtime): uncaught exception - (-1073741716, 'SetUserInfo2 level 26 for [dns-DC] failed: NT_STATUS_PASSWORD_RESTRICTION') > > You have a 'check password script' enabled in smb.conf? If I read the thread correctly, it was

On 23/09/2019 09:02, tomek82 wrote: > > W dniu 2019-09-22 20:24:36 u?ytkownik Rowland penny via samba <samba at lists.samba.org> napisa?: >> On 22/09/2019 19:05, tomek82 via samba wrote: >> &gt; Hi, >> &gt; >> &gt; I've joined samba DC to existing windows domain using: >> You say 'existing windows domain', but what is the Windows

You guys mix to things. > AFAIK is the 'privileges' that are host-specific. Is correct. >the policies are on the domain (in the LDAP data, > the root DN, look at them!). Yes, but only the GPO policies and these are not applied to the samba server. And because of that, samba-tools password settings needs to be set on every DC. Greetz, Louis > -----Oorspronkelijk

Hi, We are running Samba-AD and all things are working absolutely fine. However, two very specific issues observed one related to Windows Clients (Members) automatically synchronizing the time with PDC emulator and second password policies are not getting enforced. /*Time Synchronization:*/ Normally, in totally Windows environment, when adding a windows PC (Or server) to a domain as a

Hi, is there a way to force password complexity on NT4 style domains? the "samba-tool domain passwordsettings" seems to only work on DC mode, right? Boris

On 30/07/2019 15:39, Jeff Sadowski via samba wrote: > winbindd -V > Failed to create /var/log/samba/cores for user 11490 with mode 0700 > Unable to setup corepath for winbindd: Permission denied > Version 4.10.5 > > cat /etc/samba/smb.conf > [global] > log level = 3 winbind:5 > winbind cache time = 10 > security = ads > realm = SUB.DOMAIN >

Mandi! Rowland Penny via samba In chel di` si favelave... > samba-tool domain passwordsettings set --complexity=off Ahem, i've typed '--comploxity'... sorry... OK, option is available in samba-tool in 4.2, but does not seems to work: root at lupus:~# samba-tool domain passwordsettings set --complexity=off Password complexity deactivated! All changes applied successfully!

Hi everyone, I am using Samba 4.5.16-Debian on Raspbian and thanks to the help offered by everyone here I now finally have a mostly-working Active Directory network. I am now at the stage of creating inidividual user accounts for my domain and unfortunately I have a very basic but fundamental problem! I currently enter the following input at the command-line to create a new user on my DC: pi

Mandi! L.P.H. van Belle via samba In chel di` si favelave... > Did you run the command to disable the password check or complexabilty on all you DC's? Oh, never minded about that. Sure. Instead of commenting 'check password script' i can do: samba-tool domain passwordsettings set --complexity=off sure! Thanks! But, why you say «on all you DC's»? The password policies

AFAI've understood 'samba-tool domain passwordsettings' set domain password settings, while the GPO equivalent settings is for the client (windows client and server os). Currently i've enabled password complexity checks server side: root at vdcsv1:~# samba-tool domain passwordsettings show Password informations for domain 'DC=ad,DC=fvg,DC=lnf,DC=it' Password

I'm doing some test moving from a NT domain to ad AD domain, using debian jessie samba (4.2) and obviously the 'classicupgrade' procedure. In my setup i use(d) extensively some script to reset password to users. I was (ab)used to have 'smbpasswd' behave differently if executed by root, eg change the password without taking in consideration password policy and check password

I'm running a Samba AD 4.7.4 and cannot set a new password for a user with an expired password during login from a Windows PC. Changing a password from inside a login with cntl-alt-del "change password" works ok. I've already decreased the minimum password age to 0 samba-tool domain passwordsettings show Password complexity: on Store plaintext passwords: off Password history

Make a note: it is better to disable 'check password script' in the DC(s) before trying to join a new DC. ;( root at vdcpp1:~# samba-tool domain join ad.my.dom DC -U"MYDOM\administrator" --dns-backend=BIND9_DLZ Finding a writeable DC for domain 'ad.my.dom' Found DC vdcsv1.ad.my.dom Password for [MYDOM\administrator]: workgroup is MYDOM realm is ad.my.dom Adding

Mandi! Rowland Penny via samba In chel di` si favelave... > The password settings are related to the DC and by default you cannot > set or change a password if it isn't complex enough Ok. >, you do not need to use an external script. Ahem, someone out there need it. ;-) This mean that, if i keep a 'check password script', i could also hit some trubles on, eg,

Thanks for the help, however I don't think your suggestion applies in my case. On a fresh install of Samba 4.7.4 AD you cannot change a user password on a logged in PC through cntl-alt-del -> ChangePassword because the default MinAge is 1 days. I had to use the "samba-tool domain passwordsettings set --min-pwd-age=0" command to make the logged-on style of password change

Mandi! Marc Muehlfeld via samba In chel di` si favelave... [in the meantime, moved to 4.5...] > > Ahem, i've typed '--comploxity'... sorry... OK, option is available in > > samba-tool in 4.2, but does not seems to work: > This just turns off the need of complex passwords, but there are more > settings, such as minimum length, number of previous passwords not >

I'm trying to play with 'check password script' in AD mode, and seems to me that are simply ignored, at least when users logged on windows clients and (try to) change the password. I've also noted if i use other tools (eg, samba-tool for example) 'check password script' get executed. I've looked around, and seems that 'check password script' came back in 4.5,

In our password settings we have: > samba-tool domain passwordsettings show : Password complexity: on Store plaintext passwords: off : Minimum password age (days): 0 Maximum password age (days): 90 : I don't find any setting for how many days before the expiration to warn users about the pending expiration. On Windows, users seem to get notified about a pending password expiration at

On Mon, 23 Oct 2017 16:52:05 +0200 Marco Gaiarin via samba <samba at lists.samba.org> wrote: > > Sorry, i came back on this, but: > > > In another, more generic, way: how password policies are enforced? > > still i need an answer on this question. > > > I've done some tests, using my account, that pdbedit say: > > root at vdcsv1:~# LANG=C

Mandi! Rowland Penny via samba In chel di` si favelave... > You will probably be better off using a later version of Samba, 4.2 is > EOL as far as Samba is concerned. You can easily do this by going here: > http://apt.van-belle.nl/ Thanks for the link. Could be sufficient to use 'backported' samba package, eg, samba from squeeze? > > There's some way to circumvent