Bug 45128 - Samba doesn't support Fine Grained Password Policies (FGPP)
Samba doesn't support Fine Grained Password Policies (FGPP)
Status: RESOLVED DUPLICATE of bug 48084
Product: UCS
Classification: Unclassified
Component: Samba4
UCS 4.2
Other Linux
: P5 enhancement (vote)
: ---
Assigned To: Samba maintainers
Samba maintainers
Depends on:
  Show dependency treegraph
Reported: 2017-08-03 11:53 CEST by Arvid Requate
Modified: 2018-12-06 20:04 CET (History)
3 users (show)

See Also:
What kind of report is it?: Feature Request
What type of bug is this?: 2: Improvement: Would be a product improvement
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.069
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

FineGrainedPasswordPolicies.sh (819 bytes, application/x-shellscript)
2017-08-03 11:53 CEST, Arvid Requate

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2017-08-03 11:53:00 CEST
Created attachment 9088 [details]

Microsoft AD 2008R2 supports Fine Grained Password Policies and the attributes are present in Samba too. The attached Script shows how to create a Password Settings Object and how to apply it to a group. But Samba currently lacks two things to make use of this:

1. dynamically calculate attribute "msDS-ResultantPSO"
2. actually apply the password settings during logon

I assume that the implementation should be pretty similar to what has been done for Bug #32974.

Implementing this would add more control options for the Windows Administrator, beyond the domain wide password settings (see Bug #38748) and improve the compatibility to Microsoft Active Directory.
Comment 1 Arvid Requate univentionstaff 2018-12-06 19:44:06 CET
Fixed with Bug #48084

*** This bug has been marked as a duplicate of bug 48084 ***
Comment 2 Arvid Requate univentionstaff 2018-12-06 20:04:50 CET
FYI: To obtain consistent behavior e.g. for password expiry for Samba/AD on one hand and SSH-Logon on the other, a FGPP/PSO config for a user or group needs to be coordinated with a corresponding UDM policy -- and that's tricky because FGPP/PSO are applied to users or groups (not OUs) but UDM policies are applied to LDAP-branches (and individual users as a special case).

As a workaround for MS/AD, Microsoft recommends the creation (and maintenance) of so called "shadow groups", that gather all users located below a corresponding OU. The maintenance of the group memberships of such "shadow groups" can be done via some scripting and task scheduling (cron). That way Microsoft/AD admins can appy FGPP/PSO to all user accounts located "below" a certain OU.