Password Settings Objects
Added in Samba version: 4.9
Password Settings Objects (PSOs) are an AD feature that's also known as Fine-Grained Password Policies (FGPP). In AD, the password settings for users control:
- Minimum password length and complexity requirements when a user changes their password.
- Password history length: prevents a user from re-using a previous password again.
- Minimum and maximum password age: how frequently the user can/must change their password.
- Account lockout: the threshold of unsuccessful login attempts before locking a user out of their account, and the duration they're locked out for.
Prior to supporting PSOs, Samba Administrators could only configure password settings for all users in the domain. E.g. if you wanted system admins to have longer, more-secure passwords, then every user had to conform to the same password requirements.
PSOs allow AD administrators to override the domain password policy settings for specific users, or groups of users. For example, PSOs can force certain users to have longer password lengths, or relax the complexity constraints for other users, and so on. PSOs can be applied to groups or to individual users.
How to configure it
PSOs can be configured and applied to users/groups using the
samba-tool domain passwordsettings pso set of commands. Refer to
samba-tool domain passwordsettings pso --help for more detail. The PSO commands:
- Manage the PSOs themselves, i.e. configure the password settings using 'create' or 'set' sub-commands. There's also 'delete', 'list', and 'show' commands.
- Control what PSO applies to a particular user. Use the 'apply' and 'unapply' to link a PSO to a particular group or user.
Many different PSOs can apply to the same user (either directly, or via groups). When multiple PSOs apply to the same user, essentially the PSO with the best precedence takes effect. However, PSOs that apply directly to a user always trump PSOs inherited via group membership. To see what PSO takes effect for a given user, use
samba-tool domain passwordsettings pso show-user.
If no PSO applies to a user, then the domain password settings apply. You can view/modify these using
samba-tool domain passwordsettings show|set.
How to test it
make test TESTS=ldap.password_settings
make test TESTS=samba_tool.passwordsettings
TODO: I just noticed the above inconsistency and I will change it so both tests use 'passwordsettings'.
Note that there are also blackbox.password_settings tests that are unrelated to PSOs.
Where the code is located
<Notable files/functions to start looking at...>
- MS-ADTS documents how the msDS-ResultantPSO is determined (section 18.104.22.168.5.36).
- MS-SAMR documents how the msDS-ResultantPSO is used to determine the effective password setting that gets applied to a user, i.e. Effective-LockoutThreshold, Effective-MinimumPasswordLength, etc. This is documented in section 22.214.171.124 Password Settings Attributes for Originating Update Constraints, but these Effective-XYZ values get referenced in several other places throughout the document, e.g. when calculating userAccountControl.