implementing password lockout

Jim McDonough jmcd at us.ibm.com
Sun Jan 25 21:24:08 GMT 2004






As I've been looking into merging the password lockout patch (or rather,
one of the several) and doing some testing, I've noticed this: the bad
password count is _not_ replicated as part of sam updates, presumably to
reduce reaons for replications.  So it seems to me we don't actually want
to store this in the passdb.  I've verified that other attributes get
updated from PDC to BDC, such as comments, acct flags (including lockout)
are replicated.

Do the IDEALX guys agree with this?  Have you seen the bad passwd count get
updated?

If the count is maintained locally only on each DC, it seems we would need
to store in locally in a tdb, which would create two lookups for each user,
though this tdb should only contain entries for users who entered wrong
passwords and did not subsequently enter a correct password.

Don't get me wrong, if you do a samrqueryuserinfo level 23, the bad
password count is returned, but I just don't see it getting updated in an
NT BDC.  Also, there is no field in the SAM for the time that the last bad
attempt was...

There is also a knowledgebase article about this:
http://support.microsoft.com/default.aspx?scid=kb;en-us;297157

So my current thought is to create a new tdb to store the password count
and a timestamp for each user, as they encounter bad passwords.  This would
be used for all password backends.  At a successful logon attempt, any
record for a user is deleted.  I think this will get us closest to what NT
is doing.  My biggest concern is that it would mean a second lookup for any
user when the badpasswordcount field is involved.

Thoughts?

----------------------------
Jim McDonough
IBM Linux Technology Center
Samba Team
6 Minuteman Drive
Scarborough, ME 04074
USA

jmcd at us.ibm.com
jmcd at samba.org

Phone: (207) 885-5565
IBM tie-line: 776-9984


More information about the samba-technical mailing list