.. Reminder for header structure:        
  Parts (H1)          : #################### with overline
  Chapters (H2)       : ******************** with overline
  Sections (H3)       : ====================
  Subsections (H4)    : --------------------
  Subsubsections (H5) : ^^^^^^^^^^^^^^^^^^^^
  Paragraphs (H6)     : """""""""""""""""""""

.. |date| date::

.. meta::
  :description: Applying a password strategy with Samba-AD
  :keywords: Security, Samba-AD, documentation, Password Strategy

.. _samba_password_policies:

##########################################
Applying a password strategy with Samba-AD
##########################################

.. versionadded:: 4.9

In Samba-AD the domain password policy is managed with the command line:

* For complexity (default enabled).

* For the minimum password size (default 7 characters).

* For minimum / maximum password age (default min 1 / max 42).

Historically the password rules on a Samba domain were global to the domain.
Since Samba 4.9 it is possible to define password complexity rules by group and user with :abbr:`PSO (Password Strategy Object)`, also called :abbr:`FGPP (Fine Grained Default Policies)`.

*******************************************
Creating a password rule for Administrators
*******************************************

It is necessary to set up a password policy for all other users at the same time, otherwise there is a risk of performance problems (samba bug):

.. code-block:: bash

  samba-tool domain passwordsettings pso create "pso_domain_admins" 1 --min-pwd-length=16
  samba-tool domain passwordsettings pso apply "pso_domain_admins"  "domain admins"

  samba-tool domain passwordsettings pso create "pso_domain_users" 3 --min-pwd-length=12
  samba-tool domain passwordsettings pso apply "pso_domain_users"  "domain users"

  samba-tool domain passwordsettings pso create "pso_service_accounts" 2 --min-pwd-length=24
  samba-tool domain passwordsettings pso apply "pso_service_accounts"  "service_accounts"

*********************************************
Validating differentiated password strategies
*********************************************

.. code-block:: bash

  samba-tool domain passwordsettings pso show-user administrator
  samba-tool user create testuser
  samba-tool domain passwordsettings pso show-user testuser

As mentioned above, it is preferable to create a PSO configuration for each user (otherwise there is a performance bug).
This said, if there is no rule for a user, the default rule will apply.
To display the default rule, run the command :command:`samba-tool domain passwordsettings show`.

Help on configuring policy settings can be accessed by doing :command:`samba-tool domain passwordsettings set --help`.

.. code-block:: ini

  --complexity=off
  --history-length=0
  --min-pwd-age=0
  --max-pwd-age=0
  --min-pwd-length=6