I’m afraid this is still not possible with Samba 4.8: the password policy affects every domain account. However things will change as soon as we upgrade to 4.9 because “Password Settings Objects” are implemented!
However, pay attention to performance hit of PSOs.
It was referring to the 2nd question, which you kind of answered. I can live without disabling password check until 4.9 comes out, and then will investigate whether performance hit is worth it.
My more pressing question is the first one, is there an ability to change the “Strong” password policy?
Yes it can! NethServer has two password policy options: strong or weak. None of them changes the length requirements, so if you manually change that parameter its value should be always preserved. However I cannot promise this behavior won’t change in the future!
To change that min password length:
[root@vm5 ~]# nsdc-run -- samba-tool domain passwordsettings set --min-pwd-length=3
Minimum password length changed!
All changes applied successfully!
[root@vm5 ~]# nsdc-run -- samba-tool domain passwordsettings show
Password informations for domain 'DC=ad,DC=dpnet,DC=nethesis,DC=it'
Password complexity: on
Store plaintext passwords: off
Password history length: 24
Minimum password length: 3
Minimum password age (days): 0
Maximum password age (days): 0
Account lockout duration (mins): 30
Account lockout threshold (attempts): 0
Reset account lockout after (mins): 30
Unfortunately this does not seem to be working anymore for me. It worked once, then not again.I"m running in a vm, so rolled back and tried again, and doesn’t work, not even a first time anymore. Tried a fresh install same thing, even if I tried before any udpates. Weird.
But, if I use the user import script, it seems to work (although it failed once, but not since).
Not ideal as I can’t manually change a password, but not the end of the world unless something simple is going on.
I have password length set to 4, and it still complains password is too short.
Tried setting it back to 7, and back to 4, nothing.
I also tried setting it to 8, and it still accepts 7.
Sorry… nsdc-run -- samba-tool domain passwordsettings show
Should be less confusing written like that
Anyway: @davidep should NSDC been rebooted after this change?
Maybe some experienced windows sysadmin might help… I’m afraid win clients have their minimum password lenght requirements that only a GPO or manual local override can change.
On the server manager side, the password lenght is stored in esmith db IIRC: the domain attribute is ignored.
The Server Manager enforces a minimum length, always
I think because the 7 chars requirement reflects what win clients do by default. I maybe wrong but it’s a minimum requirement: it’s not allowed to be less than that, no matter if complexity is enforced too.
I don’t think this has anything to do with the windows clients. I cannot create or edit the NS users in AD with less than 7. If I change the password length to 8, it still allows 7, so it seems to be ignoring that value. At least in my install, and I have tried a fresh install 3 or 4 times.
But, I can use the import script and add users with length=4 passwords, and then can login to windows machines with that password, so the import script seems to use the password length, and the NS admin frontend does not.
Yes, I can change the password from the Windows clients.
It is confusing that the server manager does not follow the password length, but maybe this is something that will be changed in the future.
I will mark this as solved again. Thanks.