Weird how bad password count works

Wong Onn Chee ocwong at usa.net
Sat Jul 31 14:12:30 GMT 2004


Hi,

I have just installed Samba 3.0.5 and OpenLDAP 2.2.13 as the account
backend.
The bad password attempt works with a strange behaviour.

When I set the bad lockout attempt to 3, no matter how many times I
login wrongly, the count remained at 0 and the time remained at 0.

However, when I set the bad lockout attempt to 1, after 1 wrong login,
the count became 1 and the time was updated.

Then I investigated some more.

I re-enabled the account hence clearing the count and time.

Next, I switched back to 3 bad lockout attempt and test using wrong
logins.
The count remained at 0 and the time remained at 0 (which is what I
expected).

Now, the strange thing follows.
I entered into the LDAP databsae and edited the count to become 2 and
inserted a valid value for the time.
So now, using pdbedit, it shows me that the test account has 2 bad
password counts.
I login wrongly again on purpose and, voila, the count increased to 3
and my test account was locked.

This lead to my conclusion that there seems to be a bug in how this
work.
The count is only incremented when it is just 1 count below the bad
lockout attempt value. This should not be the way it works.

Will greatly appreciate if the Samba team can throw some light on this.
Thanks.

Regards
Onn Chee




More information about the samba-technical mailing list