Bug 38748 - Password-/Account lockout Group Policies can't be used
Password-/Account lockout Group Policies can't be used
Status: RESOLVED DUPLICATE of bug 48084
Product: UCS
Classification: Unclassified
Component: Samba4
UCS 4.2
Other Linux
: P5 enhancement with 2 votes (vote)
: ---
Assigned To: Samba maintainers
https://wiki.samba.org/index.php/GSOC...
:
Depends on:
Blocks: 38749
  Show dependency treegraph
 
Reported: 2015-06-23 10:42 CEST by Janis Meybohm
Modified: 2018-12-06 19:53 CET (History)
5 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 2: Improvement: Would be a product improvement
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.069
Enterprise Customer affected?: Yes
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Ticket number: 2015061221000471, 2017062321000831
Bug group (optional):
Max CVSS v3 score:


Attachments
FineGrainedPasswordPolicies.sh (819 bytes, application/x-shellscript)
2017-08-03 11:46 CEST, Arvid Requate
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Janis Meybohm univentionstaff 2015-06-23 10:42:14 CEST
Ticket#2015061221000471

At this time, Password-/Account lockout-Policies can't be used as samba does not evaluate them:

https://lists.samba.org/archive/samba-technical/2013-February/090285.html
https://wiki.samba.org/index.php/FAQ#Is_it_possible_to_set_user_specific_password_policies_in_Samba4_.28e._g._on_a_OU-base.29.3F

It's a little confusing that a Password-/Account lockout-Policy is evaluated by the client and all values are set correctly in local security settings!


The only way password settings can be enforced in UCS AD is "samba-tool domain passwordsettings".
Comment 1 Arvid Requate univentionstaff 2015-06-23 14:21:58 CEST
As far as I see Samba DCs currently also don't evaluate the Fine-Grained Password Policies (PSO).
Comment 2 Arvid Requate univentionstaff 2016-11-18 12:46:41 CET
The GPO settings typical minimum password length and password complexity settings are stored in Policies/\{GUID\}/MACHINE/Microsoft/Windows\ NT/SecEdit/GptTmpl.inf as plain UTF-16LE:

=============
[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[System Access]
MinimumPasswordLength = 2
PasswordComplexity = 1
[Registry Values]
=============

I propose checking the Samba code for locations where the domain wide password settings are evaluated and see how we can add code to evaluate and consider GPO settings like these too at those points. I think that's the first step, ignore my comment 1 about FGPP/PSO for now.
Comment 3 Jan Christoph Ebersbach univentionstaff 2016-11-18 14:27:12 CET
This issue applies to larger UCS@school installation as soon as password policies are implemented.  A common requirement is that password policies for elementary schools are less strict than in middle and high schools.
Comment 4 Arvid Requate univentionstaff 2016-11-21 15:43:21 CET
See URL above and

* samdb_check_password in source4/dsdb/common/util.c
  called by check_password_restrictions in source4/dsdb/samdb/ldb_modules/password_hash.c
  and dcesrv_samr_ValidatePassword in source4/rpc_server/samr/dcesrv_samr.c
  
* dcesrv_samr_GetUserPwInfo in source4/rpc_server/samr/dcesrv_samr.c
  (Oppnum 0x2c https://msdn.microsoft.com/en-us/library/cc245725.aspx)
Comment 5 Lukas Oyen univentionstaff 2016-12-06 15:20:55 CET
The GSOC project implemented a gpo update service that periodically runs a
`samba_gpoupdate` python script. This script traverses the sysvol GUIDs, reads
and parses the GPO files and maps the attributes `minPwdAge`, `maxPwdAge`,
`minPwdLength` and `pwdProperties` into samdb (and thus onto the DC object).

- Patches on `samba-technical`: https://lists.samba.org/archive/samba-technical/2014-June/100275.html
- Luke Morrison's Github Repository: https://github.com/LukeM12/samba
- Cleaned up by Garming Sam: http://git.catalyst.net.nz/gitweb?p=samba.git;a=shortlog;h=refs/heads/gpo-update
Comment 6 Arvid Requate univentionstaff 2016-12-06 21:31:40 CET
I've tested this with native AD at the example of minPwdLength:


* The "Default Domain Policy" GPO, linked to the LDAP base, defines a minimum of 7, see https://technet.microsoft.com/en-us/library/hh994560(v=ws.11).aspx


* When this value is changed (and I rebooted the server), the corresponding attribute at the LDAP base gets updated.


* Values set (manually) in "Default Domain Controller Policy" are ignored (in Windows Server 2008 R2), apparently because that GPO is linked to a OU and not to the domain itself. https://www.sysoptools.com/wp-content/uploads/2016/01/Domain-Password-Security-Policy-Explained.pdf assumes that this might be a security decision by MS. See also https://technet.microsoft.com/en-us/library/cc748850(v=ws.10).aspx


So it seems that this GPO setting is just another way to control the values at the LDAP base. This means that the GSOC code is basically doing the right thing (apart from details when it comes to looking for the applicable GPO), and there is no extra adjustment required to evaluate the GPOs at password change time.


Additionally this means that this feature alone doesn't allow defining special password policies for different (users, groups of users, LDAP branches).
We would need to consider Comment 1 for that, i.e. implement support for Fine Grained Password Policies (FGPP) via Password Settings Objects (PSO).

As discussed in the development department: Let's simply fix Bug 42592 first, that's important anyway and may additionally allow adjusting password policies on a per-school basis - currently at the expense of central administrability.
Comment 7 Arvid Requate univentionstaff 2017-08-03 11:46:19 CEST
Created attachment 9087 [details]
FineGrainedPasswordPolicies.sh

Microsoft AD 2008R2 supports Fine Grained Password Policies and the attributes are present in Samba too. The attached Script shows how to create a Password Settings Object and how to apply it to a group. But Samba currently lacks two things to make use of this:

1. dynamically calculate attribute "msDS-ResultantPSO"
2. actually apply the password settings during logon

I assume that the implementation should be pretty similar to what has been done for Bug #32974.
Comment 8 Arvid Requate univentionstaff 2017-08-03 11:54:28 CEST
I've split of the FGPP topic (Comment 7) as Bug #45128
Comment 9 Arvid Requate univentionstaff 2018-12-06 19:53:36 CET
With Samba > 4.8 (Bug #48084) and Bug #32974 fixed this should be possible:

https://wiki.samba.org/index.php/Samba_4.8_Features_added/changed#KDC_GPO_application

Samba 4.9 also implemented support for FGPP (Bug #45128).

*** This bug has been marked as a duplicate of bug 48084 ***