implementing password lockout

[Jim McDonough]

>So, you may think that bad password count is not replicated, but it is,
>in fact. The count will be sent to the BDCs at the next user replication.
Umm, beep, you're wrong, too.

I'm not convinced that it's _never_ replicated (that's why I was asking you
guys), but I am convinced that it's _not always_ replicated, or at least
that the BDC doesn't always take it.  Since my schannel was encrypted, I
wasn't able to see the exact contents of the replication, but I did the
following:

1. Made sure bad password count was zero on PDC and BDC (via rpcclient
queryuserinfo)
2. Made sure user's comments were same on PDC and BDC
3. Entered a bad password on PDC, saw that count was 1 on PDC, 0 on BDC.
4. Changed user comment on PDC.
5. Requested a replication via server manager and waited for traffic to
occur.
6. Checked both bad password count and user comment.  Change was replicated
for the user comment, but _not_ for the bad password count.

Can you explain this?  I'm very open to explanations, but I'm convinced it
is possible for some user data to be replicated _without_ the bad password
count.

THere's one more problem with replicating bad password count...the reset
time needs to be applied to the time the bad password was entered, and that
isn't anywhere in the sam, is it?  or do you guys see it somewhere that
we're missing.

----------------------------
Jim McDonough
IBM Linux Technology Center
Samba Team
6 Minuteman Drive
Scarborough, ME 04074
USA

jmcd at us.ibm.com
jmcd at samba.org

Phone: (207) 885-5565
IBM tie-line: 776-9984