Samba4 and Password Policies

We’re using a small Samba deployment as our main source of Authentication for Windows-Clients and LDAP. This has worked mostly great until now.

Now was the time where I tried to implement a service to change your password by yourself. Here again: It has worked mostly fine, but when I was evaluating different products I came across this error message that confused the heck out of me:

msg: 0000052D: Constraint violation - check_password_restrictions: password is too young to change!


Our Samba4 Server seems to ignore the supplied GPOs that specify a minimum password age of 0 days.

This meant, that if you go to your PDC console and look a bit closer the policies that are enforced are different than our GPOs (and a bit more in line with the error-message)

root@dc:~# samba-tool domain passwordsettings show
Password informations for domain 'DC=example,DC=com'

Password complexity: on
Store plaintext passwords: off
Password history length: 24
Minimum password length: 7
Minimum password age (days): 1
Maximum password age (days): 42
Account lockout duration (mins): 30
Account lockout threshold (attempts): 0
Reset account lockout after (mins): 30

After we have identified the problem, we can set our policy to what we’re trying to get.

root@dc:~# samba-tool domain passwordsettings set --min-pwd-age=0
Minimum password age changed!
All changes applied successfully!

root@dc:~# samba-tool domain passwordsettings set --max-pwd-age=0
Maximum password age changed!
All changes applied successfully!

Beitrag veröffentlicht





Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert