Applying a password strategy with Samba-AD
New in version 4.9.
In Samba-AD the domain password policy is managed with the command line:
For complexity (default enabled).
For the minimum password size (default 7 characters).
For minimum / maximum password age (default min 1 / max 42).
Historically the password rules on a Samba domain were global to the domain. Since Samba 4.9 it is possible to define password complexity rules by group and user with PSO, also called FGPP.
Creating a password rule for Administrators
It is necessary to set up a password policy for all other users at the same time, otherwise there is a risk of performance problems (samba bug):
samba-tool domain passwordsettings pso create "pso_domain_admins" 1 --min-pwd-length=16
samba-tool domain passwordsettings pso apply "pso_domain_admins" "domain admins"
samba-tool domain passwordsettings pso create "pso_service_accounts" 2 --min-pwd-length=24
samba-tool domain passwordsettings pso apply "pso_service_accounts" "service_accounts"
samba-tool domain passwordsettings pso create "pso_domain_users" 99 --min-pwd-length=12
samba-tool domain passwordsettings pso apply "pso_domain_users" "domain users"
Validating differentiated password strategies
samba-tool domain passwordsettings pso show-user administrator
samba-tool user create testuser
samba-tool domain passwordsettings pso show-user testuser
As mentioned above, it is preferable to create a PSO configuration for each user (otherwise there is a performance bug). This said, if there is no rule for a user, the default rule will apply. To display the default rule, run the command samba-tool domain passwordsettings show.
Help on configuring policy settings can be accessed by doing samba-tool domain passwordsettings set --help.
--complexity=off
--history-length=0
--min-pwd-age=0
--max-pwd-age=0
--min-pwd-length=6