Passowrd policy patch on Samba-3.0.2 for LDAP backend

[Jim McDonough]

>I think this is best - but I don't mind an option for always consistent
>backends.  If we have multi-master, then other things break (rid
>allocation), so we can't exactly count on that either...
So you can't really have always consistent backends this way either...

There's still an issue...how do you properly update the PDC when the BDC
encounters a bad password.

On NT, the BDC does a netlogon call to the PDC as though it were a member
server.  This has several effects:
- The user can still logon if the password change hasn't yet propagated
- The PDC will know that a bad password was attempted if it really is bad
- The PDC (if it is up/contactable) will always have the right count of bad
passwords.

Then, when the max is reached, it announces the sam change, and the bdcs
request a delta.  In the meantime, each BDC has its own count, and _still_
has its own record of the password if it's a propagation issue.  That means
that until the BDC syncs up via replication, the BDC keeps the old password
stored.

But our BDC code doesn't do anything like this...how hard would it be to
change that?  Basically, don't update the real "stored" passdb (unless the
max gets hit) on a bad pw attempt, but let the PDC know by the netlogon
call (I forget offhand what it is, but it's basically just authenticating
like a member server would, IIRC)?

----------------------------
Jim McDonough
IBM Linux Technology Center
Samba Team
6 Minuteman Drive
Scarborough, ME 04074
USA

jmcd at us.ibm.com
jmcd at samba.org

Phone: (207) 885-5565
IBM tie-line: 776-9984