WinXP allows login to expired/forbidden accounts

Geoff Holden geoff at
Mon Jun 3 18:01:01 GMT 2002

Mario Juric wrote:
> Hi,
>         I've stumbled upon this problem while trying to limit access to
> specific machine to specific domain users. I did it by setting Samba to
> obey PAM restrictions, and then using the pam_access PAM module
> ('account' clause) to do user validation (described below).
>         On Win2000, this works fine - if an unauthorized user tries to
> login, Win2000 says 'Account not permitted to login at this time' (or
> something along those lines), and disallows the login.
>         But WinXP _allows_ the login to proceed, but refuses to map any
> drives (home directory) and disallows access to PDC shares. In this way,
> the user has access to local disks and resources.
> Can someone try to replicate and find the source of this bug? I'm seeing
> it on two different WinXP machines, and on no Win2k machines. Is it too
> late to fix this for 2.2.5?
> I'm using stock Samba 2.2.4 on RedHat 7.2 as a PDC to Win2k and WinXP
> domains.

This may be because WinXP has the ability to cache domain logons. It
remembers that the name/password pair worked in the past, and is willing to
let you in based only on that.
I think the default is to cache 10 domain logons, but you can disable
this 'feature' (or bug, depending on your point of view) by setting the
number to 0 in the local security policy of the computer.

Geoff Holden
Systems Programmer
Department of Computer Science
Memorial University of Newfoundland
(709) 737-2661

More information about the samba-technical mailing list