Categories
SysOps

How to manage global password policy settings in Samba Active Directory

Manage global password policy settings in Samba Active Directory.

Display current password settings for the domain.

$ sudo samba-tool domain passwordsettings show
Password information for domain 'DC=octocat,DC=lab'

Password complexity: on
Store plaintext passwords: off
Password history length: 24
Minimum password length: 7
Minimum password age (days): 1
Maximum password age (days): 42
Account lockout duration (mins): 30
Account lockout threshold (attempts): 0
Reset account lockout after (mins): 30

Alter password settings.

$ sudo samba-tool domain passwordsettings set --complexity=on \
                                              --store-plaintext=off \
                                              --history-length=24 \
                                              --min-pwd-length=7 \
                                              --min-pwd-age=0 \
                                              --max-pwd-age=180 \
                                              --account-lockout-duration=30 \
                                              --account-lockout-threshold=10 \
                                              --reset-account-lockout-after=30
Password complexity activated!
Plaintext password storage for changed passwords deactivated!
Password history length changed!
Minimum password length changed!
Minimum password age changed!
Maximum password age changed!
Account lockout duration changed!
Account lockout threshold changed!
Duration to reset account lockout after changed!
All changes applied successfully!

Display updated password settings for the domain.

$ sudo samba-tool domain passwordsettings show
Password information for domain 'DC=octocat,DC=lab'

Password complexity: on
Store plaintext passwords: off
Password history length: 24
Minimum password length: 7
Minimum password age (days): 0
Maximum password age (days): 180
Account lockout duration (mins): 30
Account lockout threshold (attempts): 10
Reset account lockout after (mins): 30

Ensure that the minimum password age is set to 0 if you need to alter passwords immediately.