Passowrd policy patch on Samba-3.0.2 for LDAP backend

Jim McDonough jmcd at
Thu Feb 19 22:44:47 GMT 2004

>I think this is best - but I don't mind an option for always consistent
>backends.  If we have multi-master, then other things break (rid
>allocation), so we can't exactly count on that either...
So you can't really have always consistent backends this way either...

There's still an do you properly update the PDC when the BDC
encounters a bad password.

On NT, the BDC does a netlogon call to the PDC as though it were a member
server.  This has several effects:
- The user can still logon if the password change hasn't yet propagated
- The PDC will know that a bad password was attempted if it really is bad
- The PDC (if it is up/contactable) will always have the right count of bad

Then, when the max is reached, it announces the sam change, and the bdcs
request a delta.  In the meantime, each BDC has its own count, and _still_
has its own record of the password if it's a propagation issue.  That means
that until the BDC syncs up via replication, the BDC keeps the old password

But our BDC code doesn't do anything like hard would it be to
change that?  Basically, don't update the real "stored" passdb (unless the
max gets hit) on a bad pw attempt, but let the PDC know by the netlogon
call (I forget offhand what it is, but it's basically just authenticating
like a member server would, IIRC)?

Jim McDonough
IBM Linux Technology Center
Samba Team
6 Minuteman Drive
Scarborough, ME 04074

jmcd at
jmcd at

Phone: (207) 885-5565
IBM tie-line: 776-9984

More information about the samba-technical mailing list