SELinux・iptablesの無効化
検証用のサーバを立ち上げる際、…
CentOS 7とSamba4で自宅用Active Directory Domain Controller (AD DC)を構築する④ アカウントポリシー(パスワードポリシー)を設定する
今回は、CentOS 7上で作成したドメインコントローラーで、パスワードのルールなどを管理するアカウントポリシーの設定を行う。
なお、Samba 4のドメインコントローラーでは一部(アカウントのロックアウトなど)の機能が正常に動作しないようなので、実質的にはパスワードポリシーのみとなっている。
1.Windows(クライアント)から管理する
Windows上からのパスワードポリシーの設定は、「グループポリシーの管理」から設定する。
まずは、「グループポリシーの管理」から、[フォレスト] > [ドメイン] > [管理するドメイン名] > [Default Domain Policy]を右クリックし、編集を選択する。
すると、新しく「グループポリシー管理エディター」が開くので、[コンピューターの構成] > [ポリシー] > [Windowsの設定] > [セキュリティの設定] > [アカウントポリシー]から設定を行える。
2.Linuxから管理する
Linuxから管理を行う場合のコマンドについてを記述する。
●パスワードポリシーの詳細を表示する
/usr/local/samba/bin/samba-tool domain passwordsettings show
[root@dctest01 ~]# /usr/local/samba/bin/samba-tool domain passwordsettings show Password informations for domain 'DC=testad,DC=local' Password complexity: on Store plaintext passwords: off Password history length: 24 Minimum password length: 7 Minimum password age (days): 1 Maximum password age (days): 42 Account lockout duration (mins): 30 Account lockout threshold (attempts): 0 Reset account lockout after (mins): 30
●複雑なパスワード(英数字・記号の混合強制)の有効/無効
/usr/local/samba/bin/samba-tool domain passwordsettings set --complexity=on(off)
[root@dctest01 ~]# /usr/local/samba/bin/samba-tool domain passwordsettings show Password informations for domain 'DC=testad,DC=local' Password complexity: off Store plaintext passwords: off Password history length: 24 Minimum password length: 7 Minimum password age (days): 1 Maximum password age (days): 42 Account lockout duration (mins): 30 Account lockout threshold (attempts): 3 Reset account lockout after (mins): 30 [root@dctest01 ~]# /usr/local/samba/bin/samba-tool domain passwordsettings set --complexity=on Password complexity activated! All changes applied successfully! [root@dctest01 ~]# /usr/local/samba/bin/samba-tool domain passwordsettings show Password informations for domain 'DC=testad,DC=local' Password complexity: on Store plaintext passwords: off Password history length: 24 Minimum password length: 7 Minimum password age (days): 1 Maximum password age (days): 42 Account lockout duration (mins): 30 Account lockout threshold (attempts): 3 Reset account lockout after (mins): 30 [root@dctest01 ~]#
●最小限のパスワード長の設定
/usr/local/samba/bin/samba-tool domain passwordsettings set --min-pwd-length=最小限のパスワード文字数
[root@dctest01 ~]# /usr/local/samba/bin/samba-tool domain passwordsettings show Password informations for domain 'DC=testad,DC=local' Password complexity: on Store plaintext passwords: off Password history length: 24 Minimum password length: 7 Minimum password age (days): 1 Maximum password age (days): 42 Account lockout duration (mins): 30 Account lockout threshold (attempts): 3 Reset account lockout after (mins): 30 [root@dctest01 ~]# /usr/local/samba/bin/samba-tool domain passwordsettings set --min-pwd-length=10 Minimum password length changed! All changes applied successfully! [root@dctest01 ~]# /usr/local/samba/bin/samba-tool domain passwordsettings show Password informations for domain 'DC=testad,DC=local' Password complexity: on Store plaintext passwords: off Password history length: 24 Minimum password length: 10 Minimum password age (days): 1 Maximum password age (days): 42 Account lockout duration (mins): 30 Account lockout threshold (attempts): 3 Reset account lockout after (mins): 30
●パスワード有効期限の設定
/usr/local/samba/bin/samba-tool domain passwordsettings set --max-pwd-age=パスワード変更期限(日)
[root@dctest01 ~]# /usr/local/samba/bin/samba-tool domain passwordsettings show Password informations for domain 'DC=testad,DC=local' Password complexity: on Store plaintext passwords: off Password history length: 24 Minimum password length: 10 Minimum password age (days): 1 Maximum password age (days): 42 Account lockout duration (mins): 30 Account lockout threshold (attempts): 3 Reset account lockout after (mins): 30 [root@dctest01 ~]# /usr/local/samba/bin/samba-tool domain passwordsettings set --max-pwd-age=90 Maximum password age changed! All changes applied successfully! [root@dctest01 ~]# /usr/local/samba/bin/samba-tool domain passwordsettings show Password informations for domain 'DC=testad,DC=local' Password complexity: on Store plaintext passwords: off Password history length: 24 Minimum password length: 10 Minimum password age (days): 1 Maximum password age (days): 90 Account lockout duration (mins): 30 Account lockout threshold (attempts): 3 Reset account lockout after (mins): 30
●パスワードの変更禁止期間の設定
/usr/local/samba/bin/samba-tool domain passwordsettings set --min-pwd-age=パスワード変更禁止期間(日)
[root@dctest01 ~]# /usr/local/samba/bin/samba-tool domain passwordsettings show Password informations for domain 'DC=testad,DC=local' Password complexity: on Store plaintext passwords: off Password history length: 24 Minimum password length: 10 Minimum password age (days): 1 Maximum password age (days): 90 Account lockout duration (mins): 30 Account lockout threshold (attempts): 3 Reset account lockout after (mins): 30 [root@dctest01 ~]# /usr/local/samba/bin/samba-tool domain passwordsettings set --min-pwd-age=3 Minimum password age changed! All changes applied successfully! [root@dctest01 ~]# /usr/local/samba/bin/samba-tool domain passwordsettings show Password informations for domain 'DC=testad,DC=local' Password complexity: on Store plaintext passwords: off Password history length: 24 Minimum password length: 10 Minimum password age (days): 3 Maximum password age (days): 90 Account lockout duration (mins): 30 Account lockout threshold (attempts): 3 Reset account lockout after (mins): 30
●パスワードロックアウト期間(動作不安定)
/usr/local/samba/bin/samba-tool domain passwordsettings set --account-lockout-duration=ロックアウト期間(分)
[root@dctest01 ~]# /usr/local/samba/bin/samba-tool domain passwordsettings show Password informations for domain 'DC=testad,DC=local' Password complexity: on Store plaintext passwords: off Password history length: 24 Minimum password length: 10 Minimum password age (days): 3 Maximum password age (days): 90 Account lockout duration (mins): 30 Account lockout threshold (attempts): 3 Reset account lockout after (mins): 30 [root@dctest01 ~]# /usr/local/samba/bin/samba-tool domain passwordsettings set --account-lockout-duration=60 Account lockout duration changed! All changes applied successfully! [root@dctest01 ~]# /usr/local/samba/bin/samba-tool domain passwordsettings show Password informations for domain 'DC=testad,DC=local' Password complexity: on Store plaintext passwords: off Password history length: 24 Minimum password length: 10 Minimum password age (days): 3 Maximum password age (days): 90 Account lockout duration (mins): 60 Account lockout threshold (attempts): 3 Reset account lockout after (mins): 30
●パスワード試行回数
/usr/local/samba/bin/samba-tool domain passwordsettings set --account-lockout-duration=パスワード試行回数
[root@dctest01 ~]# /usr/local/samba/bin/samba-tool domain passwordsettings show Password informations for domain 'DC=testad,DC=local' Password complexity: on Store plaintext passwords: off Password history length: 24 Minimum password length: 10 Minimum password age (days): 3 Maximum password age (days): 90 Account lockout duration (mins): 60 Account lockout threshold (attempts): 3 Reset account lockout after (mins): 30 [root@dctest01 ~]# /usr/local/samba/bin/samba-tool domain passwordsettings set --account-lockout-duration=10 Account lockout duration changed! All changes applied successfully! [root@dctest01 ~]# /usr/local/samba/bin/samba-tool domain passwordsettings show Password informations for domain 'DC=testad,DC=local' Password complexity: on Store plaintext passwords: off Password history length: 24 Minimum password length: 10 Minimum password age (days): 3 Maximum password age (days): 90 Account lockout duration (mins): 10 Account lockout threshold (attempts): 3 Reset account lockout after (mins): 30
●パスワードを間違えた数の保持期間
/usr/local/samba/bin/samba-tool domain passwordsettings set --reset-account-lockout-after=パスワード試行回数のリセットまでの時間(分)
[root@dctest01 ~]# /usr/local/samba/bin/samba-tool domain passwordsettings show Password informations for domain 'DC=testad,DC=local' Password complexity: on Store plaintext passwords: off Password history length: 24 Minimum password length: 10 Minimum password age (days): 3 Maximum password age (days): 90 Account lockout duration (mins): 10 Account lockout threshold (attempts): 3 Reset account lockout after (mins): 30 [root@dctest01 ~]# /usr/local/samba/bin/samba-tool domain passwordsettings set --reset-account-lockout-after=60 Duration to reset account lockout after changed! All changes applied successfully! [root@dctest01 ~]# /usr/local/samba/bin/samba-tool domain passwordsettings show Password informations for domain 'DC=testad,DC=local' Password complexity: on Store plaintext passwords: off Password history length: 24 Minimum password length: 10 Minimum password age (days): 3 Maximum password age (days): 90 Account lockout duration (mins): 10 Account lockout threshold (attempts): 3 Reset account lockout after (mins): 60
