Difference between revisions of "Password Settings Objects"

(Test out new documentation template on PSOs)
m
Line 3: Line 3:
 
'''Added in Samba version:''' 4.9
 
'''Added in Samba version:''' 4.9
  
Password Settings Objects (PSOs) is an AD feature also known as Fine-Grained Password Policies (FGPP). In AD, the password settings for users control:
+
Password Settings Objects (PSOs) are an AD feature that's also known as Fine-Grained Password Policies (FGPP). In AD, the password settings for users control:
* Minimum password length and complexity requirements when changing a password.
+
* Minimum password length and complexity requirements when a user changes their password.
* Password history length: prevents a user from re-using a previous password.
+
* Password history length: prevents a user from re-using a previous password again.
 
* Minimum and maximum password age: how frequently the user can/must change their password.
 
* Minimum and maximum password age: how frequently the user can/must change their password.
 
* Account lockout: the threshold of unsuccessful login attempts before locking a user out of their account, and the duration they're locked out for.
 
* Account lockout: the threshold of unsuccessful login attempts before locking a user out of their account, and the duration they're locked out for.
Line 15: Line 15:
 
=== How to configure it ===
 
=== How to configure it ===
  
PSOs can be configured and applied to users/groups using the <tt>samba-tool domain passwordsettings pso</tt> set of commands.  
+
PSOs can be configured and applied to users/groups using the <code>samba-tool domain passwordsettings pso</code> set of commands.  
Refer to <tt>samba-tool domain passwordsettings pso --help</tt> for more detail.
+
Refer to <code>samba-tool domain passwordsettings pso --help</code> for more detail.
  
 
* Managing the PSOs, i.e. configure the password settings themselves using 'create' or 'set' sub-commands. There's also 'delete', 'list', and 'show' commands.
 
* Managing the PSOs, i.e. configure the password settings themselves using 'create' or 'set' sub-commands. There's also 'delete', 'list', and 'show' commands.
 
* Managing what PSO applies to a particular user. Use the 'apply' and 'unapply' to link a PSO to a particular group or user.  
 
* Managing what PSO applies to a particular user. Use the 'apply' and 'unapply' to link a PSO to a particular group or user.  
  
Many different PSOs can apply to the same user (either directly, or via groups). When multiple PSOs apply to the same user, essentially the PSO with the best precedence takes effect. However, PSOs that apply directly to a user always trump PSOs inherited via group membership. To see what PSO takes effect for a given user, use <tt>samba-tool domain passwordsettings pso show-user</tt>.
+
Many different PSOs can apply to the same user (either directly, or via groups). When multiple PSOs apply to the same user, essentially the PSO with the best precedence takes effect. However, PSOs that apply directly to a user always trump PSOs inherited via group membership. To see what PSO takes effect for a given user, use <code>samba-tool domain passwordsettings pso show-user</code>.
  
If no PSO applies to a user, then the domain password settings apply. You can view/modify these using <tt>samba-tool domain passwordsettings show|set</tt>.
+
If no PSO applies to a user, then the domain password settings apply. You can view/modify these using <code>samba-tool domain passwordsettings show|set</code>.
  
 
== For Developers ==  
 
== For Developers ==  

Revision as of 04:13, 13 September 2018

Overview

Added in Samba version: 4.9

Password Settings Objects (PSOs) are an AD feature that's also known as Fine-Grained Password Policies (FGPP). In AD, the password settings for users control:

  • Minimum password length and complexity requirements when a user changes their password.
  • Password history length: prevents a user from re-using a previous password again.
  • Minimum and maximum password age: how frequently the user can/must change their password.
  • Account lockout: the threshold of unsuccessful login attempts before locking a user out of their account, and the duration they're locked out for.

Prior to supporting PSOs, Samba Administrators could only configure password settings for all users in the domain. E.g. if you wanted system admins to have longer, more-secure passwords, then every user had to conform to the same password requirements.

PSOs allow AD administrators to override the domain password policy settings for specific users, or groups of users. For example, PSOs can force certain users to have longer password lengths, or relax the complexity constraints for other users, and so on. PSOs can be applied to groups or to individual users.

How to configure it

PSOs can be configured and applied to users/groups using the samba-tool domain passwordsettings pso set of commands. Refer to samba-tool domain passwordsettings pso --help for more detail.

  • Managing the PSOs, i.e. configure the password settings themselves using 'create' or 'set' sub-commands. There's also 'delete', 'list', and 'show' commands.
  • Managing what PSO applies to a particular user. Use the 'apply' and 'unapply' to link a PSO to a particular group or user.

Many different PSOs can apply to the same user (either directly, or via groups). When multiple PSOs apply to the same user, essentially the PSO with the best precedence takes effect. However, PSOs that apply directly to a user always trump PSOs inherited via group membership. To see what PSO takes effect for a given user, use samba-tool domain passwordsettings pso show-user.

If no PSO applies to a user, then the domain password settings apply. You can view/modify these using samba-tool domain passwordsettings show|set.

For Developers

How to test it

make test TESTS=blah

<Anything else notable about running the tests...>

Where the code is located

<Notable files/functions to start looking at...>

Reference Docs

<E.g. Microsoft specification/section that describes the feature in more detail>