Patch for Bad Password Attempt Lockout, samba3.0a22.
Jianliang Lu
j.lu at tiesse.com
Mon Mar 31 10:04:29 GMT 2003
> On Fri, 2003-03-28 at 23:55, Jianliang Lu wrote:
> > Now the users of "admin users" will not be locked.
>
> "admin users" not the appropriate choice here. Better would be the
> members of the 'domain admins' group. The interesting bit is finding
> this out at the right point in time...
Yes, I agree with you. But until the privilege of "domain admins" does not
work I can only use the "admin users" as the workaround to administrator's
group.
>
> > In attach is the new patch
> > file.
> > About lockout duration, I will implement next time. I think that we
should
> > extend another attribute to record the lockout time.
>
> We also need to check that the account policy has been set, and that
> it's not 0 (which I assume is the 'don't lock out' value).
>
'0' means forever. we can always put the max number like 99999.. to that. As
soon as the user logon with the correct password the bad attempt count will
be reset to 0.
> Also, I'm worried about the writes this will cause on the backend. An
> LDAP write can be quite expensive, and for the LDAP case this means that
> the master ldap server will be hit for every logon attempt.
>
Yes, but I don't know how to implement it differently.
> Andrew Bartlett
>
> --
> Andrew Bartlett abartlet at pcug.org.au
> Manager, Authentication Subsystems, Samba Team abartlet at samba.org
> Student Network Administrator, Hawker College abartlet at hawkerc.net
> http://samba.org http://build.samba.org http://hawkerc.net
Jianliang Lu
TieSse s.p.a.
Via Jervis, 60. 10015 Ivrea (To) - Italy
j.lu at tiesse.com
luj at libero.it
More information about the samba-technical
mailing list