Backed into a corner

Andrew Bartlett abartlet at samba.org
Wed Jun 29 06:14:25 GMT 2005 

On Tue, 2005-06-28 at 21:27 -0400, Douglas Sterner wrote:

> Using Samba 3.0.14a with multiple domain controllers across WAN links I 
> discovered that account lockout policies are broke. My testing show's that 
> account lockout policies are not stored in LDAP as one would think but in a 
> local TDB file on that particular BDC or PDC. The result is I'm seeing 
> errors in my logs and users are getting locked out. There appears to be no 
> replication setup or no way to replicate this policy information in a 
> multiple DC environment. Depending on which DC handles the auth request is 
> what policy is in effect. User Manager does not have any  provisions to 
> select the BDC's to apply a consistent lockout policy. I've had to disable 
> account lockouts just to let the users keep working. Are there any plans to 
> fix this. After reviewing the source code the problem seems to be the 
> account lockout code itself.

This issue has been looked at in the Samba trunk development version,
and the version there has an experimental patch to keep account policy
information in LDAP.

The other option is to simply use the pdbedit tool on each host, or
synchronise the account_policy.tdb files.  I realise this means you
can't use the windows GUI, but it should at least work.

However, it sounds like your problem is broader than that - are you
having trouble just with synchronising the policy, or is it more?

I know this was discussed somewhere recently, but I can't find the
reference.  The existing patch could be brought forward to Samba 3.0,
but there was a preference for a different design, using simple LDAP
attributes on the domain object.  (a simpler design than was used in the
first patch).

From here, it is mostly an issue of developer time.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc.        http://suse.de
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20050629/2928ecc7/attachment.bin

More information about the samba-technical mailing list