Web lists-archives.com

Re: [Samba] Time synchronization and Password Policies

Mandi! L.P.H. van Belle via samba
  In chel di` si favelave...

> Yes, but only the GPO policies and these are not applied to the samba server. 

No. I've looked back at list archive, and i've not found the email, but
i'm sure that someone here (Andrew?) reply me that password policies
are replicated between DC.

Also, seems strange to me that that settings get written into LDAP AD
data and not used by ever DC:

	root@vdcpp1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b "dc=ad,dc=fvg,dc=lnf,dc=it" -s base | grep -i pwd
	maxPwdAge: -77760000000000
	minPwdAge: 0
	minPwdLength: 8
	pwdProperties: 1
	pwdHistoryLength: 5

also, i've not set that value on my second DC, but:

 root@vdcpp1:~# samba-tool domain passwordsettings show
 Password informations for domain 'DC=ad,DC=fvg,DC=lnf,DC=it'
 Password complexity: on
 Store plaintext passwords: off
 Password history length: 5
 Minimum password length: 8
 Minimum password age (days): 0
 Maximum password age (days): 90
 Account lockout duration (mins): 30
 Account lockout threshold (attempts): 5
 Reset account lockout after (mins): 5

and these are exactly the settings on my first DC, correctly propagated
on the second.

So, trying to summarize:

a) 'samba-tool domain passwordsettings' set the password policy for the
 ''samba'' part, for every DC in the domain

b) this password policies are not enforced on the windows client, and
 have to be ''replicated'' in a GPO.


dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba