Passowrd policy patch on Samba-3.0.2 for LDAP backend

Jianliang Lu at
Fri Feb 20 11:20:37 GMT 2004

On Thu Feb 19 22:44:47 GMT 2004, Jim McDonough  wrote:

> >I think this is best - but I don't mind an option for always consistent
> >backends.  If we have multi-master, then other things break (rid
> >allocation), so we can't exactly count on that either...
> So you can't really have always consistent backends this way either...
> There's still an do you properly update the PDC when the BDC
> encounters a bad password.
> On NT, the BDC does a netlogon call to the PDC as though it were a member
> server.  This has several effects:
> - The user can still logon if the password change hasn't yet propagated
> - The PDC will know that a bad password was attempted if it really is bad
> - The PDC (if it is up/contactable) will always have the right count of bad
> passwords.

The LDAP Master-Slave replication could work as well, the BDC will update the 
bad password count always on PDC ( referrals on master) if we set the chasing 
REFERRALS on Samba BDC using ldap_set_option(). In this way the BDC using the 
ldap client api to update the data referraled to ldap master.


Jianliang Lu
TieSse s.p.a.     Ivrea (To) - Italy at   luj at

More information about the samba-technical mailing list