We’re using a small Samba deployment as our main source of Authentication for Windows-Clients and LDAP. This has worked mostly great until now.
Now was the time where I tried to implement a service to change your password by yourself. Here again: It has worked mostly fine, but when I was evaluating different products I came across this error message that confused the heck out of me:
msg: 0000052D: Constraint violation - check_password_restrictions: password is too young to change!Solution
Our Samba4 Server seems to ignore the supplied GPOs that specify a minimum password age of 0 days.
This meant, that if you go to your PDC console and look a bit closer the policies that are enforced are different than our GPOs (and a bit more in line with the error-message)
root@dc:~# samba-tool domain passwordsettings show
Password informations for domain 'DC=example,DC=com'
Password complexity: on
Store plaintext passwords: off
Password history length: 24
Minimum password length: 7
Minimum password age (days): 1
Maximum password age (days): 42
Account lockout duration (mins): 30
Account lockout threshold (attempts): 0
Reset account lockout after (mins): 30After we have identified the problem, we can set our policy to what we’re trying to get.
root@dc:~# samba-tool domain passwordsettings set --min-pwd-age=0
Minimum password age changed!
All changes applied successfully!
root@dc:~# samba-tool domain passwordsettings set --max-pwd-age=0
Maximum password age changed!
All changes applied successfully!
Schreibe einen Kommentar