CentOS 7とSamba4で自宅用Active Directory Domain Controller (AD DC)を構築する④ アカウントポリシー(パスワードポリシー)を設定する

CentOS 7とSamba4で自宅用Active Directory Domain Controller (AD DC)を構築する④ アカウントポリシー(パスワードポリシー)を設定する

今回は、CentOS 7上で作成したドメインコントローラーで、パスワードのルールなどを管理するアカウントポリシーの設定を行う。
なお、Samba 4のドメインコントローラーでは一部(アカウントのロックアウトなど)の機能が正常に動作しないようなので、実質的にはパスワードポリシーのみとなっている。

1.Windows(クライアント)から管理する

Windows上からのパスワードポリシーの設定は、「グループポリシーの管理」から設定する。
まずは、「グループポリシーの管理」から、[フォレスト] > [ドメイン] > [管理するドメイン名] > [Default Domain Policy]を右クリックし、編集を選択する。

すると、新しく「グループポリシー管理エディター」が開くので、[コンピューターの構成] > [ポリシー] > [Windowsの設定] > [セキュリティの設定] > [アカウントポリシー]から設定を行える。

2.Linuxから管理する

Linuxから管理を行う場合のコマンドについてを記述する。

パスワードポリシーの詳細を表示する

/usr/local/samba/bin/samba-tool domain passwordsettings show

[root@dctest01 ~]# /usr/local/samba/bin/samba-tool domain passwordsettings show
Password informations for domain 'DC=testad,DC=local'

Password complexity: on
Store plaintext passwords: off
Password history length: 24
Minimum password length: 7
Minimum password age (days): 1
Maximum password age (days): 42
Account lockout duration (mins): 30
Account lockout threshold (attempts): 0
Reset account lockout after (mins): 30

複雑なパスワード(英数字・記号の混合強制)の有効/無効

/usr/local/samba/bin/samba-tool domain passwordsettings set --complexity=on(off)

[root@dctest01 ~]#  /usr/local/samba/bin/samba-tool domain passwordsettings show
Password informations for domain 'DC=testad,DC=local'

Password complexity: off
Store plaintext passwords: off
Password history length: 24
Minimum password length: 7
Minimum password age (days): 1
Maximum password age (days): 42
Account lockout duration (mins): 30
Account lockout threshold (attempts): 3
Reset account lockout after (mins): 30
[root@dctest01 ~]#  /usr/local/samba/bin/samba-tool domain passwordsettings set --complexity=on
Password complexity activated!
All changes applied successfully!
[root@dctest01 ~]#  /usr/local/samba/bin/samba-tool domain passwordsettings show
Password informations for domain 'DC=testad,DC=local'

Password complexity: on
Store plaintext passwords: off
Password history length: 24
Minimum password length: 7
Minimum password age (days): 1
Maximum password age (days): 42
Account lockout duration (mins): 30
Account lockout threshold (attempts): 3
Reset account lockout after (mins): 30
[root@dctest01 ~]#

最小限のパスワード長の設定

/usr/local/samba/bin/samba-tool domain passwordsettings set --min-pwd-length=最小限のパスワード文字数

[root@dctest01 ~]# /usr/local/samba/bin/samba-tool domain passwordsettings show
Password informations for domain 'DC=testad,DC=local'

Password complexity: on
Store plaintext passwords: off
Password history length: 24
Minimum password length: 7
Minimum password age (days): 1
Maximum password age (days): 42
Account lockout duration (mins): 30
Account lockout threshold (attempts): 3
Reset account lockout after (mins): 30
[root@dctest01 ~]# /usr/local/samba/bin/samba-tool domain passwordsettings set --min-pwd-length=10
Minimum password length changed!
All changes applied successfully!
[root@dctest01 ~]# /usr/local/samba/bin/samba-tool domain passwordsettings show
Password informations for domain 'DC=testad,DC=local'

Password complexity: on
Store plaintext passwords: off
Password history length: 24
Minimum password length: 10
Minimum password age (days): 1
Maximum password age (days): 42
Account lockout duration (mins): 30
Account lockout threshold (attempts): 3
Reset account lockout after (mins): 30

パスワード有効期限の設定

/usr/local/samba/bin/samba-tool domain passwordsettings set --max-pwd-age=パスワード変更期限(日)

[root@dctest01 ~]# /usr/local/samba/bin/samba-tool domain passwordsettings show
Password informations for domain 'DC=testad,DC=local'

Password complexity: on
Store plaintext passwords: off
Password history length: 24
Minimum password length: 10
Minimum password age (days): 1
Maximum password age (days): 42
Account lockout duration (mins): 30
Account lockout threshold (attempts): 3
Reset account lockout after (mins): 30
[root@dctest01 ~]# /usr/local/samba/bin/samba-tool domain passwordsettings set --max-pwd-age=90
Maximum password age changed!
All changes applied successfully!
[root@dctest01 ~]# /usr/local/samba/bin/samba-tool domain passwordsettings show
Password informations for domain 'DC=testad,DC=local'

Password complexity: on
Store plaintext passwords: off
Password history length: 24
Minimum password length: 10
Minimum password age (days): 1
Maximum password age (days): 90
Account lockout duration (mins): 30
Account lockout threshold (attempts): 3
Reset account lockout after (mins): 30

パスワードの変更禁止期間の設定

/usr/local/samba/bin/samba-tool domain passwordsettings set --min-pwd-age=パスワード変更禁止期間(日)

[root@dctest01 ~]# /usr/local/samba/bin/samba-tool domain passwordsettings show
Password informations for domain 'DC=testad,DC=local'

Password complexity: on
Store plaintext passwords: off
Password history length: 24
Minimum password length: 10
Minimum password age (days): 1
Maximum password age (days): 90
Account lockout duration (mins): 30
Account lockout threshold (attempts): 3
Reset account lockout after (mins): 30
[root@dctest01 ~]# /usr/local/samba/bin/samba-tool domain passwordsettings set --min-pwd-age=3
Minimum password age changed!
All changes applied successfully!
[root@dctest01 ~]# /usr/local/samba/bin/samba-tool domain passwordsettings show
Password informations for domain 'DC=testad,DC=local'

Password complexity: on
Store plaintext passwords: off
Password history length: 24
Minimum password length: 10
Minimum password age (days): 3
Maximum password age (days): 90
Account lockout duration (mins): 30
Account lockout threshold (attempts): 3
Reset account lockout after (mins): 30

パスワードロックアウト期間(動作不安定)

/usr/local/samba/bin/samba-tool domain passwordsettings set --account-lockout-duration=ロックアウト期間(分)

[root@dctest01 ~]# /usr/local/samba/bin/samba-tool domain passwordsettings show
Password informations for domain 'DC=testad,DC=local'

Password complexity: on
Store plaintext passwords: off
Password history length: 24
Minimum password length: 10
Minimum password age (days): 3
Maximum password age (days): 90
Account lockout duration (mins): 30
Account lockout threshold (attempts): 3
Reset account lockout after (mins): 30
[root@dctest01 ~]# /usr/local/samba/bin/samba-tool domain passwordsettings set --account-lockout-duration=60
Account lockout duration changed!
All changes applied successfully!
[root@dctest01 ~]# /usr/local/samba/bin/samba-tool domain passwordsettings show
Password informations for domain 'DC=testad,DC=local'

Password complexity: on
Store plaintext passwords: off
Password history length: 24
Minimum password length: 10
Minimum password age (days): 3
Maximum password age (days): 90
Account lockout duration (mins): 60
Account lockout threshold (attempts): 3
Reset account lockout after (mins): 30

パスワード試行回数

/usr/local/samba/bin/samba-tool domain passwordsettings set --account-lockout-duration=パスワード試行回数

[root@dctest01 ~]# /usr/local/samba/bin/samba-tool domain passwordsettings show
Password informations for domain 'DC=testad,DC=local'

Password complexity: on
Store plaintext passwords: off
Password history length: 24
Minimum password length: 10
Minimum password age (days): 3
Maximum password age (days): 90
Account lockout duration (mins): 60
Account lockout threshold (attempts): 3
Reset account lockout after (mins): 30
[root@dctest01 ~]# /usr/local/samba/bin/samba-tool domain passwordsettings set --account-lockout-duration=10
Account lockout duration changed!
All changes applied successfully!
[root@dctest01 ~]# /usr/local/samba/bin/samba-tool domain passwordsettings show
Password informations for domain 'DC=testad,DC=local'

Password complexity: on
Store plaintext passwords: off
Password history length: 24
Minimum password length: 10
Minimum password age (days): 3
Maximum password age (days): 90
Account lockout duration (mins): 10
Account lockout threshold (attempts): 3
Reset account lockout after (mins): 30

パスワードを間違えた数の保持期間

/usr/local/samba/bin/samba-tool domain passwordsettings set --reset-account-lockout-after=パスワード試行回数のリセットまでの時間(分)

[root@dctest01 ~]# /usr/local/samba/bin/samba-tool domain passwordsettings show
Password informations for domain 'DC=testad,DC=local'

Password complexity: on
Store plaintext passwords: off
Password history length: 24
Minimum password length: 10
Minimum password age (days): 3
Maximum password age (days): 90
Account lockout duration (mins): 10
Account lockout threshold (attempts): 3
Reset account lockout after (mins): 30
[root@dctest01 ~]# /usr/local/samba/bin/samba-tool domain passwordsettings set --reset-account-lockout-after=60
Duration to reset account lockout after changed!
All changes applied successfully!
[root@dctest01 ~]# /usr/local/samba/bin/samba-tool domain passwordsettings show
Password informations for domain 'DC=testad,DC=local'

Password complexity: on
Store plaintext passwords: off
Password history length: 24
Minimum password length: 10
Minimum password age (days): 3
Maximum password age (days): 90
Account lockout duration (mins): 10
Account lockout threshold (attempts): 3
Reset account lockout after (mins): 60