Univention Bugzilla – Bug 38748
Password-/Account lockout Group Policies can't be used
Last modified: 2018-12-06 19:53:36 CET
Ticket#2015061221000471 At this time, Password-/Account lockout-Policies can't be used as samba does not evaluate them: https://lists.samba.org/archive/samba-technical/2013-February/090285.html https://wiki.samba.org/index.php/FAQ#Is_it_possible_to_set_user_specific_password_policies_in_Samba4_.28e._g._on_a_OU-base.29.3F It's a little confusing that a Password-/Account lockout-Policy is evaluated by the client and all values are set correctly in local security settings! The only way password settings can be enforced in UCS AD is "samba-tool domain passwordsettings".
As far as I see Samba DCs currently also don't evaluate the Fine-Grained Password Policies (PSO).
The GPO settings typical minimum password length and password complexity settings are stored in Policies/\{GUID\}/MACHINE/Microsoft/Windows\ NT/SecEdit/GptTmpl.inf as plain UTF-16LE: ============= [Unicode] Unicode=yes [Version] signature="$CHICAGO$" Revision=1 [System Access] MinimumPasswordLength = 2 PasswordComplexity = 1 [Registry Values] ============= I propose checking the Samba code for locations where the domain wide password settings are evaluated and see how we can add code to evaluate and consider GPO settings like these too at those points. I think that's the first step, ignore my comment 1 about FGPP/PSO for now.
This issue applies to larger UCS@school installation as soon as password policies are implemented. A common requirement is that password policies for elementary schools are less strict than in middle and high schools.
See URL above and * samdb_check_password in source4/dsdb/common/util.c called by check_password_restrictions in source4/dsdb/samdb/ldb_modules/password_hash.c and dcesrv_samr_ValidatePassword in source4/rpc_server/samr/dcesrv_samr.c * dcesrv_samr_GetUserPwInfo in source4/rpc_server/samr/dcesrv_samr.c (Oppnum 0x2c https://msdn.microsoft.com/en-us/library/cc245725.aspx)
The GSOC project implemented a gpo update service that periodically runs a `samba_gpoupdate` python script. This script traverses the sysvol GUIDs, reads and parses the GPO files and maps the attributes `minPwdAge`, `maxPwdAge`, `minPwdLength` and `pwdProperties` into samdb (and thus onto the DC object). - Patches on `samba-technical`: https://lists.samba.org/archive/samba-technical/2014-June/100275.html - Luke Morrison's Github Repository: https://github.com/LukeM12/samba - Cleaned up by Garming Sam: http://git.catalyst.net.nz/gitweb?p=samba.git;a=shortlog;h=refs/heads/gpo-update
I've tested this with native AD at the example of minPwdLength: * The "Default Domain Policy" GPO, linked to the LDAP base, defines a minimum of 7, see https://technet.microsoft.com/en-us/library/hh994560(v=ws.11).aspx * When this value is changed (and I rebooted the server), the corresponding attribute at the LDAP base gets updated. * Values set (manually) in "Default Domain Controller Policy" are ignored (in Windows Server 2008 R2), apparently because that GPO is linked to a OU and not to the domain itself. https://www.sysoptools.com/wp-content/uploads/2016/01/Domain-Password-Security-Policy-Explained.pdf assumes that this might be a security decision by MS. See also https://technet.microsoft.com/en-us/library/cc748850(v=ws.10).aspx So it seems that this GPO setting is just another way to control the values at the LDAP base. This means that the GSOC code is basically doing the right thing (apart from details when it comes to looking for the applicable GPO), and there is no extra adjustment required to evaluate the GPOs at password change time. Additionally this means that this feature alone doesn't allow defining special password policies for different (users, groups of users, LDAP branches). We would need to consider Comment 1 for that, i.e. implement support for Fine Grained Password Policies (FGPP) via Password Settings Objects (PSO). As discussed in the development department: Let's simply fix Bug 42592 first, that's important anyway and may additionally allow adjusting password policies on a per-school basis - currently at the expense of central administrability.
Created attachment 9087 [details] FineGrainedPasswordPolicies.sh Microsoft AD 2008R2 supports Fine Grained Password Policies and the attributes are present in Samba too. The attached Script shows how to create a Password Settings Object and how to apply it to a group. But Samba currently lacks two things to make use of this: 1. dynamically calculate attribute "msDS-ResultantPSO" 2. actually apply the password settings during logon I assume that the implementation should be pretty similar to what has been done for Bug #32974.
I've split of the FGPP topic (Comment 7) as Bug #45128
With Samba > 4.8 (Bug #48084) and Bug #32974 fixed this should be possible: https://wiki.samba.org/index.php/Samba_4.8_Features_added/changed#KDC_GPO_application Samba 4.9 also implemented support for FGPP (Bug #45128). *** This bug has been marked as a duplicate of bug 48084 ***