Samba and the password policy draft

Simon Annear simon.annear at
Mon Mar 15 00:10:05 GMT 2004

Jim Sermersheim wrote:
>  >>> Andrew Bartlett <abartlet at> 3/6/04 6:38:06 PM >>>
>  >What I am looking for is some additional control or operation that may
>  >be used by Samba/Heimdal/etc to say 'a user just logged in, with the
>  >right password', and 'a user just tried to log in with a wrong
>  >password'.
> I'm toying with the notion of changing the draft such that it describes 
> password policy decision points, and then refers to those decision 
> points when talking about how to implement operations like bind and 
> compare. Once this is done, it should be easy to create new operations 
> (like those you mentioned) and specify which password policy decision 
> points are invoked during those new operations.
> The first thing I noticed when looking at doing this is that the current 
> wording for bind (and compare) require server implementations to check 
> for a locked account prior to performing the password comparison. I 
> think we did this either as an optimization, or because we deemed it 
> important to always check for the locked account condition. I think 
> it'll be ok to just make a statement that this condition must be checked 
> whether the password comparison succeeds or fails.
> The only reason I bring this up is because the suggested operations 
> above don't/can't follow the current pattern (unless there's also a 
> 'this user is going to log in' precheck operation — yuk).
> Jim

My two cents worth

I know that the SunOne (JES) Directory server implements it's own 
password lockout system.  I would expect that OpenLDAP should provide 
the same functionality (I know it doesn't at this point in time).  I 
believe that Novell and Microsoft's LDAP servers also all offer the same 

I guess this means that if you're using samba via pam talking to LDAP, 
when you try and authenticate as the user you would get back a error 49 
(0x31) invalid credentials.

My way of thinking is that this means much less to administer, and if a 
user locks their account (via email, login, smb, whatever) then it is 
locked across the board.  I'm sure everyone on this group has grappled 
with keeping LDAP, NIS and Windows passwords synced - who wants to try 
and keep accound lockout details synced as well.

At the end of the day - one repository for user information, and the 
least duplication of details the better.


More information about the samba-technical mailing list