Password Settings Objects: Difference between revisions
(Test out new documentation template on PSOs) |
mNo edit summary |
||
Line 3: | Line 3: | ||
'''Added in Samba version:''' 4.9 |
'''Added in Samba version:''' 4.9 |
||
Password Settings Objects (PSOs) |
Password Settings Objects (PSOs) are an AD feature that's also known as Fine-Grained Password Policies (FGPP). In AD, the password settings for users control: |
||
* Minimum password length and complexity requirements when |
* Minimum password length and complexity requirements when a user changes their password. |
||
* Password history length: prevents a user from re-using a previous password. |
* Password history length: prevents a user from re-using a previous password again. |
||
* Minimum and maximum password age: how frequently the user can/must change their password. |
* Minimum and maximum password age: how frequently the user can/must change their password. |
||
* Account lockout: the threshold of unsuccessful login attempts before locking a user out of their account, and the duration they're locked out for. |
* Account lockout: the threshold of unsuccessful login attempts before locking a user out of their account, and the duration they're locked out for. |
||
Line 15: | Line 15: | ||
=== How to configure it === |
=== How to configure it === |
||
PSOs can be configured and applied to users/groups using the < |
PSOs can be configured and applied to users/groups using the <code>samba-tool domain passwordsettings pso</code> set of commands. |
||
Refer to < |
Refer to <code>samba-tool domain passwordsettings pso --help</code> for more detail. |
||
* Managing the PSOs, i.e. configure the password settings themselves using 'create' or 'set' sub-commands. There's also 'delete', 'list', and 'show' commands. |
* Managing the PSOs, i.e. configure the password settings themselves using 'create' or 'set' sub-commands. There's also 'delete', 'list', and 'show' commands. |
||
* Managing what PSO applies to a particular user. Use the 'apply' and 'unapply' to link a PSO to a particular group or user. |
* Managing what PSO applies to a particular user. Use the 'apply' and 'unapply' to link a PSO to a particular group or user. |
||
Many different PSOs can apply to the same user (either directly, or via groups). When multiple PSOs apply to the same user, essentially the PSO with the best precedence takes effect. However, PSOs that apply directly to a user always trump PSOs inherited via group membership. To see what PSO takes effect for a given user, use < |
Many different PSOs can apply to the same user (either directly, or via groups). When multiple PSOs apply to the same user, essentially the PSO with the best precedence takes effect. However, PSOs that apply directly to a user always trump PSOs inherited via group membership. To see what PSO takes effect for a given user, use <code>samba-tool domain passwordsettings pso show-user</code>. |
||
If no PSO applies to a user, then the domain password settings apply. You can view/modify these using < |
If no PSO applies to a user, then the domain password settings apply. You can view/modify these using <code>samba-tool domain passwordsettings show|set</code>. |
||
== For Developers == |
== For Developers == |
Revision as of 04:13, 13 September 2018
Overview
Added in Samba version: 4.9
Password Settings Objects (PSOs) are an AD feature that's also known as Fine-Grained Password Policies (FGPP). In AD, the password settings for users control:
- Minimum password length and complexity requirements when a user changes their password.
- Password history length: prevents a user from re-using a previous password again.
- Minimum and maximum password age: how frequently the user can/must change their password.
- Account lockout: the threshold of unsuccessful login attempts before locking a user out of their account, and the duration they're locked out for.
Prior to supporting PSOs, Samba Administrators could only configure password settings for all users in the domain. E.g. if you wanted system admins to have longer, more-secure passwords, then every user had to conform to the same password requirements.
PSOs allow AD administrators to override the domain password policy settings for specific users, or groups of users. For example, PSOs can force certain users to have longer password lengths, or relax the complexity constraints for other users, and so on. PSOs can be applied to groups or to individual users.
How to configure it
PSOs can be configured and applied to users/groups using the samba-tool domain passwordsettings pso
set of commands.
Refer to samba-tool domain passwordsettings pso --help
for more detail.
- Managing the PSOs, i.e. configure the password settings themselves using 'create' or 'set' sub-commands. There's also 'delete', 'list', and 'show' commands.
- Managing what PSO applies to a particular user. Use the 'apply' and 'unapply' to link a PSO to a particular group or user.
Many different PSOs can apply to the same user (either directly, or via groups). When multiple PSOs apply to the same user, essentially the PSO with the best precedence takes effect. However, PSOs that apply directly to a user always trump PSOs inherited via group membership. To see what PSO takes effect for a given user, use samba-tool domain passwordsettings pso show-user
.
If no PSO applies to a user, then the domain password settings apply. You can view/modify these using samba-tool domain passwordsettings show|set
.
For Developers
How to test it
make test TESTS=blah
<Anything else notable about running the tests...>
Where the code is located
<Notable files/functions to start looking at...>
Reference Docs
<E.g. Microsoft specification/section that describes the feature in more detail>