implementing password lockout

Aurélien Degrémont aurelien.degremont at
Mon Jan 26 10:37:13 GMT 2004

Jim McDonough wrote:

>As I've been looking into merging the password lockout patch (or rather,
>one of the several) and doing some testing, I've noticed this: the bad
>password count is _not_ replicated as part of sam updates, 
Beeeep ! You're wrong :)
According to tests and Microsoft documentation, bad_pwd_count *is* 
present inside replication protocol netlogon (SAM_ACCOUNT_INFO). But, 
it's not replicate at each change.
The following link describe which events provoque immediate replication, 
and a change on this counter is not sufficient. 

So, you may think that bad password count is not replicated, but it is, 
in fact. The count will be sent to the BDCs at the next user replication.

Bad password count replication :
 - A wrong password is used. Bad password count is increased on PDC. 
(BDC will be warned at next "time-based" replication (around 5 min))
 - The bad password count is reached. PDC immediately announces change 
to SAM to BDC, containing the acct flag(account autolocked) and bad pwd 
count (max).
 - The count is unlocked. Bad password count is set to 0 on the PDC.  
(BDC will be warned at next "time-based" replication (around 5 min))

So, I don't see where's the problem. Information will be replicated, 
following NT protocols, and this will not overload Samba server, not 
more than it is presently :).

If you want to split the SAM_ACCOUNT informations into 2 tdb/backends 
(dynamic/static information) to optimise this, it could be useful, but I 
think this is not related to bad password count functionality.

If this is not a prioritary concern, i think bad password count could be 
added to samba 3.0 without other major changes.


Aurélien & Richard

More information about the samba-technical mailing list