Encrypted Passwords & Restricting Logon Attempts

Jim Morris Jim at Morris-World.com
Wed Nov 27 16:17:00 GMT 2002

On Wednesday, November 27, 2002, at 09:12  AM, Steve Langasek wrote:

> With Win95/98 it might not be such an issue.  If you have any member
> servers in your domain, it IS an issue, because the only way to get
> recent versions of Windows to negotiate plaintext auth is for the 
> server
> to say it does NOT support encrypted passwords, and a server that 
> doesn't
> support encrypted passwords cannot be a DC.

Well, as migration to Windows 2000 Professional on the desktop is 
gradually taking place, it becomes an issue if the Samba server cannot 
be a domain controller....  I believe there may also be at least one 
Windows NT Server that is a domain member server as well.....

Well, it sounds to me then that the only way to support this is to add 
the support to Samba itself, via a new smb.conf option such as 'max 
failed login attempts = n' for example.  And then either use the 
/var/log/faillog that is used by pam_tally, for compatibility with the 
system authentication, or store the number of failed Samba logon 
attempts independantly, in a field of smbpasswd, or elsewhere.

Jim Morris (Jim at Morris-World.com)

More information about the samba-technical mailing list