implementing password lockout

Jim McDonough jmcd at
Mon Jan 26 13:38:11 GMT 2004

>So, you may think that bad password count is not replicated, but it is,
>in fact. The count will be sent to the BDCs at the next user replication.
Umm, beep, you're wrong, too.

I'm not convinced that it's _never_ replicated (that's why I was asking you
guys), but I am convinced that it's _not always_ replicated, or at least
that the BDC doesn't always take it.  Since my schannel was encrypted, I
wasn't able to see the exact contents of the replication, but I did the

1. Made sure bad password count was zero on PDC and BDC (via rpcclient
2. Made sure user's comments were same on PDC and BDC
3. Entered a bad password on PDC, saw that count was 1 on PDC, 0 on BDC.
4. Changed user comment on PDC.
5. Requested a replication via server manager and waited for traffic to
6. Checked both bad password count and user comment.  Change was replicated
for the user comment, but _not_ for the bad password count.

Can you explain this?  I'm very open to explanations, but I'm convinced it
is possible for some user data to be replicated _without_ the bad password

THere's one more problem with replicating bad password count...the reset
time needs to be applied to the time the bad password was entered, and that
isn't anywhere in the sam, is it?  or do you guys see it somewhere that
we're missing.

Jim McDonough
IBM Linux Technology Center
Samba Team
6 Minuteman Drive
Scarborough, ME 04074

jmcd at
jmcd at

Phone: (207) 885-5565
IBM tie-line: 776-9984

More information about the samba-technical mailing list