implementing password lockout

Simo Sorce simo.sorce at
Mon Jan 26 13:51:33 GMT 2004

Hello Jim, I think rereading Aurélien post would give you the answers.

Clearly NT does not store the login attempt time on the SAM, but also it
does not sync the bad password account unless it is set to max, when you
reach the maximum logon failures it immediately transfers the data to
the others DCs.

This means that you have the time of the lockout (more or less the time
of the transfer, a few seconds/minutes does not really matter),
in case the lockuot is permanent you do not have any problme anyway.

So from the snippets of information we can gather from this discussion,
it seem that each DC, keep a local bad password count with a local last
pab login attempt timer. bad password count is stored in local sam but
not replicated unless you reach the maximum value admitted.

I think we can mimic the same behaviour if needed by storing the last
bad login time on an internal tdb (for ldap, you may think to add a
specific field and store it in ldap, or keep using the internal tdb but
not saving bad password count field unless you reach the max.


On Mon, 2004-01-26 at 14:38, Jim McDonough wrote:
> >So, you may think that bad password count is not replicated, but it is,
> >in fact. The count will be sent to the BDCs at the next user replication.
> Umm, beep, you're wrong, too.
> I'm not convinced that it's _never_ replicated (that's why I was asking you
> guys), but I am convinced that it's _not always_ replicated, or at least
> that the BDC doesn't always take it.  Since my schannel was encrypted, I
> wasn't able to see the exact contents of the replication, but I did the
> following:
> 1. Made sure bad password count was zero on PDC and BDC (via rpcclient
> queryuserinfo)
> 2. Made sure user's comments were same on PDC and BDC
> 3. Entered a bad password on PDC, saw that count was 1 on PDC, 0 on BDC.
> 4. Changed user comment on PDC.
> 5. Requested a replication via server manager and waited for traffic to
> occur.
> 6. Checked both bad password count and user comment.  Change was replicated
> for the user comment, but _not_ for the bad password count.
> Can you explain this?  I'm very open to explanations, but I'm convinced it
> is possible for some user data to be replicated _without_ the bad password
> count.
> THere's one more problem with replicating bad password count...the reset
> time needs to be applied to the time the bad password was entered, and that
> isn't anywhere in the sam, is it?  or do you guys see it somewhere that
> we're missing.
> ----------------------------
> Jim McDonough
> IBM Linux Technology Center
> Samba Team
> 6 Minuteman Drive
> Scarborough, ME 04074
> jmcd at
> jmcd at
> Phone: (207) 885-5565
> IBM tie-line: 776-9984
Simo Sorce - simo.sorce at
Xsec s.r.l. -
via Garofalo, 39 - 20133 - Milano
mobile: +39 329 328 7702
tel. +39 02 2953 4143 - fax: +39 02 700 442 399

More information about the samba-technical mailing list