implementing password lockout

Jim McDonough jmcd at
Tue Jan 27 21:59:58 GMT 2004

>I don't think you need to worry about _not_ updating the
>ldap database. Look at this scenerio:
>  Joe Hacker wants into Jill Waterman's account. In a
>  pure MS environment with a 3 bad password limit, JH
>  tries 2 passwords then for unrelated reasons the PDC
>  goes down. JH has 3 more attempts to break into JW's
>  account from the BDC.
>  In a pure samba environment with LDAP being updated
>  with bad password data, no matter what the situation,
>  JH is only going to get 3 tries no matter what.
Well, this assumes that LDAP _never_ goes down.  Let's suppose that your
LDAP master goes down.  Then, in your situation, unlike MS'es, the bad
password count could _never_ get updated, giving unlimited attempts.

Seems like a bigger security hole.

It will be a common setup to have Samba PDC + LDAP master on one server
(say, central corporate directory), or at least on one site, and each
branch would have Samba BDC+ldap slave on the same machine.  In this case,
suppose the link goes down back to the central office.  If you can't update
the master, you're screwed in terms of password attempts.

Unless you have multi-master replication, I'm not convinced it's safer to
use the value in LDAP as _the_ value.  Even if the PDC stores the value in
the LDAP server every time, each BDC _must_ maintain its own count just in
case.  If the timestamp in LDAP > local timestamp (and you have to
guarantee time consistency here), use the LDAP one and update the local
with that, otherwise just use the local one.

Jim McDonough
IBM Linux Technology Center
Samba Team
6 Minuteman Drive
Scarborough, ME 04074

jmcd at
jmcd at

Phone: (207) 885-5565
IBM tie-line: 776-9984

More information about the samba-technical mailing list