Bug 35997 – Explain Samba 4 password policies

Bug 35997 - Explain Samba 4 password policies


Summary:	Explain Samba 4 password policies

Status:	RESOLVED WONTFIX

Product:	Z_SDB
Classification:	Unclassified
Component:	New entries
Version:	unspecified
Hardware:	Other Linux

Importance:	P3 enhancement
Target Milestone:	---
Assigned To:	Christina Scheinig
QA Contact:

URL:	http://sdb.univention.de/1379
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2014-09-25 07:50 CEST by Tim Petersen
Modified:	2020-07-02 17:19 CEST (History)
CC List:	3 users (show)

See Also:
What kind of report is it?:	Development Internal
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Tim Petersen

2014-09-25 07:50:45 CEST

It seems that the samba 4 password policies are not clear - we get tickets with relates questions quite often.

Therefore we should explain the different policies (samba domain ldap object, samba-tool domain) in a short troubleshooting guide.

Comment 1 Christina Scheinig

2017-01-19 11:45:40 CET

samba-tool domain passwordsettings show
Password informations for domain 'DC=sunshine,DC=local'

Password complexity: off
Store plaintext passwords: off
Password history length: 3
Minimum password length: 6
Minimum password age (days): 0
Maximum password age (days): 0
Account lockout duration (mins): 0
Account lockout threshold (attempts): 0
Reset account lockout after (mins): 30
--------------------------------------------------------------------------

udm policies/pwhistory list

DN: cn=default-settings,cn=pwhistory,cn=users,cn=policies,dc=sunshine,dc=local
ARG: None
  ldapFilter: None
  name: default-settings
  length: 3
  expiryInterval: 70
  pwQualityCheck: None
  pwLength: 8
----------------------------------------------------------------------------

Comment 2 Christina Scheinig

2017-01-30 09:15:39 CET

Online for now, but we need to make some more additions.

A policy result should be added, because there could be different UDM-Policies with different LDAP-paths and thereby different users connected.

univention-policy-result -w "$(ucr get ldap/hostdn)" -y /etc/machine.secret uid=user1,dc=sunshine,dc=local

Comment 3 Ingo Steuwer

2020-07-02 17:19:54 CEST

Changes and improvements for SDB entries aren't tracked in Bugzilla anymore, so I close these entries. Please comment on help.univention.com or get in touch with the Univention Support team in case you have any suggestions for the SDB.