Applying a password strategy with Samba-AD

New in version 4.9.

In Samba-AD the domain password policy is managed with the command line:

  • For complexity (default enabled).

  • For the minimum password size (default 7 characters).

  • For minimum / maximum password age (default min 1 / max 42).

Historically the password rules on a Samba domain were global to the domain. Since Samba 4.9 it is possible to define password complexity rules by group and user with PSO, also called FGPP.

Creating a password rule for Administrators

It is necessary to set up a password policy for all other users at the same time, otherwise there is a risk of performance problems (samba bug):

samba-tool domain passwordsettings pso create "pso_domain_admins" 1 --min-pwd-length=16
samba-tool domain passwordsettings pso apply "pso_domain_admins"  "domain admins"

samba-tool domain passwordsettings pso create "pso_domain_users" 3 --min-pwd-length=12
samba-tool domain passwordsettings pso apply "pso_domain_users"  "domain users"

samba-tool domain passwordsettings pso create "pso_service_accounts" 2 --min-pwd-length=24
samba-tool domain passwordsettings pso apply "pso_service_accounts"  "service_accounts"

Validating differentiated password strategies

samba-tool domain passwordsettings pso show-user administrator
samba-tool user create testuser
samba-tool domain passwordsettings pso show-user testuser

As mentioned above, it is preferable to create a PSO configuration for each user (otherwise there is a performance bug). This said, if there is no rule for a user, the default rule will apply. To display the default rule, run the command samba-tool domain passwordsettings show.

Help on configuring policy settings can be accessed by doing samba-tool domain passwordsettings set --help.

--complexity=off
--history-length=0
--min-pwd-age=0
--max-pwd-age=0
--min-pwd-length=6