Web lists-archives.com

Re: [Samba] Time synchronization and Password Policies

On 11/21/2017 4:59 PM, Andrew Bartlett wrote:
On Tue, 2017-11-21 at 09:02 -0500, lingpanda101 via samba wrote:
On 11/21/2017 4:34 AM, lists via samba wrote:

On 21-11-2017 4:40, Anantha Raghava via samba wrote:
/*Password Policies*/

Password policies are not getting enforced on the clients. Initially
we thought that we have to set those policies using "samba-tool user
passwordsettings" and not on Windows GPO. As this was not enforcing
the password policies, we set the GPO with the same settings. Yet the
same result. Password Policies are not getting applied.

We have three domain controllers in out environment.
No expert, and please someone correct me if I'm wrong, but:

I think the samba-tool user passwordsettings are local-DC-specific, so
you need to run it on all your DCs.
Could it be that you configured only one DC, and your password change
happens to be talking with a different DC..?


You are correct from my own environment.

      Is this how a Microsoft domain behaves as well or a limit of Samba
not being able to replicate these attributes? If anyone knows btw. Thanks.
MJ's statement is not correct.  The password policy attributes are
replicated, the configuration only needs to be done on a single DC.

Additionally, for Samba 4.8 it will (currently off by default) be
possible for a DC to read the password policy and other security
settings from the GPO files.


Andrew Bartlett


    Just tested a change on 4.7 and sure enough the replication was instantaneous. I haven't made changes to my password settings in some time, so not sure when things improved, but this wasn't always the case. I wonder in my case if it was merely a delay in replication and at some point it would have been reflected on the other DC's.


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba