Q&A Can you explain the samba passwordsettings


Can you explain the samba passwordsettings


These are the samba/AD password settings for the domain. (globally)

You can also find these settings via terminal with:

 samba-tool domain passwordsettings show
Password informations for domain 'DC=schein,DC=ig'

Password complexity: on
Store plaintext passwords: off
Password history length: 0
Minimum password length: 3
Minimum password age (days): 0
Maximum password age (days): 0
Account lockout duration (mins): 0
Account lockout threshold (attempts): 5
Reset account lockout after (mins): 60

Account lockout duration (mins): 1
Account lockout threshold (attempts): 5

A user account gets locked after five logon failures. After the lockout duration with 1 second the user may try again. If he then logs on successfully, the badPwdCount of his account gets reset to 0.


 udm settings/sambadomain list 

DN: sambaDomainName=SCHEIN,cn=samba,dc=schein,dc=ig
  NextGroupRid: 1000
  NextRid: 1000
  NextUserRid: 1000
  SID: S-1-5-21-2438365080-1175145288-4246282840
  badLockoutAttempts: 70
  disconnectTime: 13 seconds
  domainPasswordComplex: 1
  domainPasswordStoreCleartext: 0
  domainPwdProperties: 1
  lockoutDuration: 8 seconds
  logonToChangePW: None
  maxPasswordAge: 30 seconds
  minPasswordAge: 10 seconds
  name: SCHEIN
  passwordHistory: 0
  passwordLength: 3
  refuseMachinePWChange: None
  resetCountMinutes: 6

You can have a look in this article, with explains the password concept al little bit. It is definitely worth checking out.

This is the mapping to the samba Options, and maybe a little bit more obvious.

Bad lockout attempts → sambaLockoutThreshold → Values are: 0 for never locked, or between 1 and 999
The number negative attempts a user has to type in the correct password.
Reset count minutes → sambaLockoutObservationWindow
How long will those negative password attempts be saved until the counter is reset to 0?
Lockout duration minutes →sambaLockoutDuration
How long shall accounts be locked if the password was incorrect?
Disconnect time → sambaForceLogoff

And these Options are the same ones that apply to AD

sambaForceLogoff is explained here:

This topic was automatically closed after 24 hours. New replies are no longer allowed.