Bad Password Lockout Problems

John H Terpstra jht at PrimaStasys.Com
Thu Jun 23 03:26:54 GMT 2005 

Folks,

I spent quite some time trying to sort out an unusual problem today. The 
configuration has a PDC and two BDC in head office, and a BDC in a branch 
office over a WAN. 

Samba 3.0.13 was installed, (updated today to 3.0.14a with same effect). All 
accounts are in LDAP.

Recently they turned on bad password count lock-out and set the maximum 
password age to 90 days. Everything seemed OK for over a month, except there 
were a gradually increasing number of incidents of accounts getting locked 
out. The max bad password count was set at 5.

For loglevel 3 logs it appeared that every time an account got locked due to a 
the bad password threshold being exceeded there was a log message during 
login processing that said:

init_sam_from_ldap: Failed to get password history for user 'username'

This message would only occur on the PDC, if the PDC happened to process the 
net logon. This error message seldom occured on BDCs.

After the account_policy.tdb file was copied from the PDC to the DBC it too 
started to report this error message in the log files. Copying this file to 
the local BDCs made the problem a consistent one.

Observations:
----------------
1. We may have a bug (not proven) in the bad password handling code.

2. Use of the NT4 Domain User Manager does NOT allow selection of a BDC - all 
operations and rights settings are affected only on the PDC. The only entity 
that can be selected in the domain selection panel is the domain name. All 
attempts to enter the name of the PDC or the DBC fails with a message that 
the domain controller could not be found.

The fact that we store NT4 Global policy settings in the account_policy.tdb 
only on the PDC leads to inconsistencies in domain operation since we appear 
to not replicate this information to BDCs. This is possibly a bad thing.

3. The pdbedit command can be used to set password aging settings and the bad 
password lockout settings - I will document the pdbedit tool before the book 
goes to print.

4. Turning off all bad password lock-out settings, and reverting to no 
password time limits, settled the site down completely.


Please can someone recommend HOW we can maintain consistent domain-wide 
security policies where the NT4 Domain User Manager is used? I'd like to 
document that before the HOWTO gets locked off for printing. I may help 
someone to avoid significant lost productivity. If necessary, I will put a 
warning in the documentation regarding the consequences of using the NT4 
Domain User Manager.

- John T.

More information about the samba-technical mailing list