Talk:HOWTO LDAP SAMBA PDC Performance Tuning
From Gentoo Linux Wiki
You are able to use group policies with samba. I'll write a quick howto about this when I have some spare time and dump it here. So, that leaves the great layout thing to you :) Might want to remind me in a week or so. After some serious ramping around on the inet found a way to get some stuff working.
Policies are really just enforced registry settings.. So basicly, it is possible to make any setting in the registry a policy setting.
Po0ky 08:26, 13 December 2005 (GMT)
Contents |
[edit] Group Policies
First of all, you should check the samba manual on group policies. You'll notice soon enough the information is informative but doesn't tell you how to do it.
The biggest worry of getting these group policies to work is you'll need to find an editor for them that works on your system. It's pretty obvious you'll need a windows (haven't tested it with wine yet)
[edit] Get the needed tools
Various sources tell me that you should be able to use the group policy tool provided with win2k, win2k3 and winxp. However, this doesn't work at all for me. Neither does the poledit tool from winnt service packs.
Currently I have found a working one that comes with win98 (afaik). If there is somebody with some webspace left, I'll be happy to upload it.
[edit] Running the needed tools
Once you got some working poledit tool, you have 2 options to use it...
- First is the easiest one.. Just run windows.
- Second one is done by running poledit in wine. You may get some error message but you can skip it safely.
[edit] Templates
The poledit tool works with templates you can import. These template's don't enforce any policy settings, they "map" a setting to the correspondent registry setting. It is quite easy to create a template yourself. We will discuss this later.
A good template to begin with is the one found on http://www.pcc-services.com/custom_poledit.html. Templates end with the .adm extentions. Many more can be found on the microsoft website, although the ones you find there will probably don't work with the somewhat depricated poledit.exe tool.
Once you saved this somewhere, start up the poledit.exe tool and go to options > policy template
Add the template and close this window.
Now you can get started
[edit] Creating your own template
You may find that you are missing some settings or you need additional settings. So, you would have to create or adjust a template. A good howto can be found here: http://www.oreilly.com/catalog/winsyspe/chapter/ch08.html
To create your own templates you might need a registry-watch program, these can be found allround the web (mostly freeware). Install one, and get it running. Make sure the program watches the WHOLE registry. Most of these programs have several settings from minor to severe checking.
Next thing to do is find out what registry setting changes when you change something on your desktop. Do this by making the setting, and check the registry watcher to see what setting has been altered. This registry key can be used to create a policy template (see above website for more details)
You also might just wanna wander arround in the registry looking for useful settings.
[edit] Converting the Windows-proviced templates to a usable format
This is not working yet.. I think we'll have to do it manually anyhow.. :/
* Perhaps this can shed some light here; it seems that Unicode template files can be re-saved as ASCII and then they work with the older version of poledit.
[edit] Creating the .pol file
Once you have imported the template, start of with creating a new Policy.
Poledit.exe > File > New Policy
Double click the Default User (or Default Computer) and alter the settings as you want them. Once finished, save the policy to ntconfig.pol
[edit] Applying the policy
Applying is extreeeeemly simple. Just place the ntconfig.pol file on your samba server in the netlogon share. Finished!
[edit] Account Policies
[edit] Overview
Samba provides some global policy settings through the use of the pdbedit tool.
The pdbedit tool is the only one that can manage the account security and policy settings. It is capable of all operations that smbpasswd can do as well as a superset of them.
To get a listing of the possible settings, run the pdbedit command with the -P option and a unexisting value.
# pdbedit -P list No account policy by that name Account policy names are : min password length password history user must logon to change password maximum password age minimum password age lockout duration reset count minutes bad lockout attempt disconnect time refuse machine password change
[edit] Different Options
This is a quick overview of the different settings and how they compare to a NT4 Policy
| NT4 Name | Samba v3 Name | NT4 Range | Samba Range | Samba Default |
|---|---|---|---|---|
| Maximum Password Age | maximum password age | 0 - 999 (days) | 0 - 4294967295 (sec) | 4294967295 |
| Minimum Password Age | minimum password age | 0 - 999 (days) | 0 - 4294967295 (sec) | 0 |
| Mimimum Password Length | min password length | 1 - 14 (Chars) | 0 - 4294967295 (Chars) | 5 |
| Password Uniqueness | password history | 0 - 23 (#) | 0 - 4294967295 (#) | 0 |
| Account Lockout - Reset count after | reset count minutes | 1 - 99998 (min) | 0 - 4294967295 (min) | 30 |
| Lockout after bad logon attempts | bad lockout attempt | 0 - 998 (#) | 0 - 4294967295 (#) | 0 |
| *** Not Known *** | disconnect time | TBA | 0 - 4294967295 | 0 |
| Lockout Duration | lockout duration | 1 - 99998 (min) | 0 - 4294967295 (min) | 30 |
| Users must log on in order to change password | user must logon to change password | 0/1 | 0 - 4294967295 | 0 |
| *** Registry Setting *** | refuse machine password change | 0/1 | 0 - 4294967295 | 0 |
[edit] Setting a value
You can set a value to the policy by using the pdbedit command:
pdbedit -P "<policy name>" -C <value> pdbedit -P "minimum password length" -C 8
This would set the minimum password lengto to 8
[edit] TODO
[edit] REQUEST for Feedback
Ok, this is what i have so far. I know from myself I aint the great english-virtuoso. So please to correct any mistakes against the english language ;)
