CentOS 7とSamba4で自宅用Active Directory Domain Controller (AD DC)を構築する④ アカウントポリシー(パスワードポリシー)を設定する
Pocket

今回は、CentOS 7上で作成したドメインコントローラーで、パスワードのルールなどを管理するアカウントポリシーの設定を行う。
なお、Samba 4のドメインコントローラーでは一部(アカウントのロックアウトなど)の機能が正常に動作しないようなので、実質的にはパスワードポリシーのみとなっている。

1.Windows(クライアント)から管理する

Windows上からのパスワードポリシーの設定は、「グループポリシーの管理」から設定する。
まずは、「グループポリシーの管理」から、[フォレスト] > [ドメイン] > [管理するドメイン名] > [Default Domain Policy]を右クリックし、編集を選択する。

WS000000

 

すると、新しく「グループポリシー管理エディター」が開くので、[コンピューターの構成] > [ポリシー] > [Windowsの設定] > [セキュリティの設定] > [アカウントポリシー]から設定を行える。

WS000004

Sponsored Links

2.Linuxから管理する

Linuxから管理を行う場合のコマンドについてを記述する。

●パスワードポリシーの詳細を表示する

/usr/local/samba/bin/samba-tool domain passwordsettings show

20150317_000001

[root@dctest01 ~]# /usr/local/samba/bin/samba-tool domain passwordsettings show
Password informations for domain 'DC=testad,DC=local'

Password complexity: on
Store plaintext passwords: off
Password history length: 24
Minimum password length: 7
Minimum password age (days): 1
Maximum password age (days): 42
Account lockout duration (mins): 30
Account lockout threshold (attempts): 0
Reset account lockout after (mins): 30

 

●複雑なパスワード(英数字・記号の混合強制)の有効/無効

 /usr/local/samba/bin/samba-tool domain passwordsettings set --complexity=on(off)

20150317_000002

[root@dctest01 ~]#  /usr/local/samba/bin/samba-tool domain passwordsettings show
Password informations for domain 'DC=testad,DC=local'

Password complexity: off
Store plaintext passwords: off
Password history length: 24
Minimum password length: 7
Minimum password age (days): 1
Maximum password age (days): 42
Account lockout duration (mins): 30
Account lockout threshold (attempts): 3
Reset account lockout after (mins): 30
[root@dctest01 ~]#  /usr/local/samba/bin/samba-tool domain passwordsettings set --complexity=on
Password complexity activated!
All changes applied successfully!
[root@dctest01 ~]#  /usr/local/samba/bin/samba-tool domain passwordsettings show
Password informations for domain 'DC=testad,DC=local'

Password complexity: on
Store plaintext passwords: off
Password history length: 24
Minimum password length: 7
Minimum password age (days): 1
Maximum password age (days): 42
Account lockout duration (mins): 30
Account lockout threshold (attempts): 3
Reset account lockout after (mins): 30
[root@dctest01 ~]#

 

●最小限のパスワード長の設定

/usr/local/samba/bin/samba-tool domain passwordsettings set --min-pwd-length=最小限のパスワード文字数

20150317_000003

[root@dctest01 ~]# /usr/local/samba/bin/samba-tool domain passwordsettings show
Password informations for domain 'DC=testad,DC=local'

Password complexity: on
Store plaintext passwords: off
Password history length: 24
Minimum password length: 7
Minimum password age (days): 1
Maximum password age (days): 42
Account lockout duration (mins): 30
Account lockout threshold (attempts): 3
Reset account lockout after (mins): 30
[root@dctest01 ~]# /usr/local/samba/bin/samba-tool domain passwordsettings set --min-pwd-length=10
Minimum password length changed!
All changes applied successfully!
[root@dctest01 ~]# /usr/local/samba/bin/samba-tool domain passwordsettings show
Password informations for domain 'DC=testad,DC=local'

Password complexity: on
Store plaintext passwords: off
Password history length: 24
Minimum password length: 10
Minimum password age (days): 1
Maximum password age (days): 42
Account lockout duration (mins): 30
Account lockout threshold (attempts): 3
Reset account lockout after (mins): 30

 

●パスワード有効期限の設定

/usr/local/samba/bin/samba-tool domain passwordsettings set --max-pwd-age=パスワード変更期限(日)

20150317_000004

[root@dctest01 ~]# /usr/local/samba/bin/samba-tool domain passwordsettings show
Password informations for domain 'DC=testad,DC=local'

Password complexity: on
Store plaintext passwords: off
Password history length: 24
Minimum password length: 10
Minimum password age (days): 1
Maximum password age (days): 42
Account lockout duration (mins): 30
Account lockout threshold (attempts): 3
Reset account lockout after (mins): 30
[root@dctest01 ~]# /usr/local/samba/bin/samba-tool domain passwordsettings set --max-pwd-age=90
Maximum password age changed!
All changes applied successfully!
[root@dctest01 ~]# /usr/local/samba/bin/samba-tool domain passwordsettings show
Password informations for domain 'DC=testad,DC=local'

Password complexity: on
Store plaintext passwords: off
Password history length: 24
Minimum password length: 10
Minimum password age (days): 1
Maximum password age (days): 90
Account lockout duration (mins): 30
Account lockout threshold (attempts): 3
Reset account lockout after (mins): 30

 

●パスワードの変更禁止期間の設定

/usr/local/samba/bin/samba-tool domain passwordsettings set --min-pwd-age=パスワード変更禁止期間(日)

20150317_000005

[root@dctest01 ~]# /usr/local/samba/bin/samba-tool domain passwordsettings show
Password informations for domain 'DC=testad,DC=local'

Password complexity: on
Store plaintext passwords: off
Password history length: 24
Minimum password length: 10
Minimum password age (days): 1
Maximum password age (days): 90
Account lockout duration (mins): 30
Account lockout threshold (attempts): 3
Reset account lockout after (mins): 30
[root@dctest01 ~]# /usr/local/samba/bin/samba-tool domain passwordsettings set --min-pwd-age=3
Minimum password age changed!
All changes applied successfully!
[root@dctest01 ~]# /usr/local/samba/bin/samba-tool domain passwordsettings show
Password informations for domain 'DC=testad,DC=local'

Password complexity: on
Store plaintext passwords: off
Password history length: 24
Minimum password length: 10
Minimum password age (days): 3
Maximum password age (days): 90
Account lockout duration (mins): 30
Account lockout threshold (attempts): 3
Reset account lockout after (mins): 30

 

●パスワードロックアウト期間(動作不安定)

/usr/local/samba/bin/samba-tool domain passwordsettings set --account-lockout-duration=ロックアウト期間(分)

20150317_000006

[root@dctest01 ~]# /usr/local/samba/bin/samba-tool domain passwordsettings show
Password informations for domain 'DC=testad,DC=local'

Password complexity: on
Store plaintext passwords: off
Password history length: 24
Minimum password length: 10
Minimum password age (days): 3
Maximum password age (days): 90
Account lockout duration (mins): 30
Account lockout threshold (attempts): 3
Reset account lockout after (mins): 30
[root@dctest01 ~]# /usr/local/samba/bin/samba-tool domain passwordsettings set --account-lockout-duration=60
Account lockout duration changed!
All changes applied successfully!
[root@dctest01 ~]# /usr/local/samba/bin/samba-tool domain passwordsettings show
Password informations for domain 'DC=testad,DC=local'

Password complexity: on
Store plaintext passwords: off
Password history length: 24
Minimum password length: 10
Minimum password age (days): 3
Maximum password age (days): 90
Account lockout duration (mins): 60
Account lockout threshold (attempts): 3
Reset account lockout after (mins): 30

 

●パスワード試行回数

/usr/local/samba/bin/samba-tool domain passwordsettings set --account-lockout-duration=パスワード試行回数

20150317_000007

[root@dctest01 ~]# /usr/local/samba/bin/samba-tool domain passwordsettings show
Password informations for domain 'DC=testad,DC=local'

Password complexity: on
Store plaintext passwords: off
Password history length: 24
Minimum password length: 10
Minimum password age (days): 3
Maximum password age (days): 90
Account lockout duration (mins): 60
Account lockout threshold (attempts): 3
Reset account lockout after (mins): 30
[root@dctest01 ~]# /usr/local/samba/bin/samba-tool domain passwordsettings set --account-lockout-duration=10
Account lockout duration changed!
All changes applied successfully!
[root@dctest01 ~]# /usr/local/samba/bin/samba-tool domain passwordsettings show
Password informations for domain 'DC=testad,DC=local'

Password complexity: on
Store plaintext passwords: off
Password history length: 24
Minimum password length: 10
Minimum password age (days): 3
Maximum password age (days): 90
Account lockout duration (mins): 10
Account lockout threshold (attempts): 3
Reset account lockout after (mins): 30

 

●パスワードを間違えた数の保持期間

/usr/local/samba/bin/samba-tool domain passwordsettings set --reset-account-lockout-after=パスワード試行回数のリセットまでの時間(分)

20150317_000008

[root@dctest01 ~]# /usr/local/samba/bin/samba-tool domain passwordsettings show
Password informations for domain 'DC=testad,DC=local'

Password complexity: on
Store plaintext passwords: off
Password history length: 24
Minimum password length: 10
Minimum password age (days): 3
Maximum password age (days): 90
Account lockout duration (mins): 10
Account lockout threshold (attempts): 3
Reset account lockout after (mins): 30
[root@dctest01 ~]# /usr/local/samba/bin/samba-tool domain passwordsettings set --reset-account-lockout-after=60
Duration to reset account lockout after changed!
All changes applied successfully!
[root@dctest01 ~]# /usr/local/samba/bin/samba-tool domain passwordsettings show
Password informations for domain 'DC=testad,DC=local'

Password complexity: on
Store plaintext passwords: off
Password history length: 24
Minimum password length: 10
Minimum password age (days): 3
Maximum password age (days): 90
Account lockout duration (mins): 10
Account lockout threshold (attempts): 3
Reset account lockout after (mins): 60
Pocket

Written by blacknon

インフラ系のSE。一時期はプログラマ。 仮想化とオープンソースに興味あり。一日中寝てたい今日このごろ。 スペインとかで働きたいなぁ…(シエスタがあるので)

Leave a Comment

メールアドレスが公開されることはありません。