Univention Bugzilla – Bug 45128
Samba doesn't support Fine Grained Password Policies (FGPP)
Last modified: 2018-12-06 20:04:50 CET
Created attachment 9088 [details]
Microsoft AD 2008R2 supports Fine Grained Password Policies and the attributes are present in Samba too. The attached Script shows how to create a Password Settings Object and how to apply it to a group. But Samba currently lacks two things to make use of this:
1. dynamically calculate attribute "msDS-ResultantPSO"
2. actually apply the password settings during logon
I assume that the implementation should be pretty similar to what has been done for Bug #32974.
Implementing this would add more control options for the Windows Administrator, beyond the domain wide password settings (see Bug #38748) and improve the compatibility to Microsoft Active Directory.
Fixed with Bug #48084
*** This bug has been marked as a duplicate of bug 48084 ***
FYI: To obtain consistent behavior e.g. for password expiry for Samba/AD on one hand and SSH-Logon on the other, a FGPP/PSO config for a user or group needs to be coordinated with a corresponding UDM policy -- and that's tricky because FGPP/PSO are applied to users or groups (not OUs) but UDM policies are applied to LDAP-branches (and individual users as a special case).
As a workaround for MS/AD, Microsoft recommends the creation (and maintenance) of so called "shadow groups", that gather all users located below a corresponding OU. The maintenance of the group memberships of such "shadow groups" can be done via some scripting and task scheduling (cron). That way Microsoft/AD admins can appy FGPP/PSO to all user accounts located "below" a certain OU.