Bad Password Lockout Problems
John H Terpstra
jht at PrimaStasys.Com
Thu Jun 23 03:26:54 GMT 2005
I spent quite some time trying to sort out an unusual problem today. The
configuration has a PDC and two BDC in head office, and a BDC in a branch
office over a WAN.
Samba 3.0.13 was installed, (updated today to 3.0.14a with same effect). All
accounts are in LDAP.
Recently they turned on bad password count lock-out and set the maximum
password age to 90 days. Everything seemed OK for over a month, except there
were a gradually increasing number of incidents of accounts getting locked
out. The max bad password count was set at 5.
For loglevel 3 logs it appeared that every time an account got locked due to a
the bad password threshold being exceeded there was a log message during
login processing that said:
init_sam_from_ldap: Failed to get password history for user 'username'
This message would only occur on the PDC, if the PDC happened to process the
net logon. This error message seldom occured on BDCs.
After the account_policy.tdb file was copied from the PDC to the DBC it too
started to report this error message in the log files. Copying this file to
the local BDCs made the problem a consistent one.
1. We may have a bug (not proven) in the bad password handling code.
2. Use of the NT4 Domain User Manager does NOT allow selection of a BDC - all
operations and rights settings are affected only on the PDC. The only entity
that can be selected in the domain selection panel is the domain name. All
attempts to enter the name of the PDC or the DBC fails with a message that
the domain controller could not be found.
The fact that we store NT4 Global policy settings in the account_policy.tdb
only on the PDC leads to inconsistencies in domain operation since we appear
to not replicate this information to BDCs. This is possibly a bad thing.
3. The pdbedit command can be used to set password aging settings and the bad
password lockout settings - I will document the pdbedit tool before the book
goes to print.
4. Turning off all bad password lock-out settings, and reverting to no
password time limits, settled the site down completely.
Please can someone recommend HOW we can maintain consistent domain-wide
security policies where the NT4 Domain User Manager is used? I'd like to
document that before the HOWTO gets locked off for printing. I may help
someone to avoid significant lost productivity. If necessary, I will put a
warning in the documentation regarding the consequences of using the NT4
Domain User Manager.
- John T.
More information about the samba-technical