Bad Password Lockout Problems
idra at samba.org
Thu Jun 23 07:40:38 GMT 2005
On Wed, 2005-06-22 at 21:26 -0600, John H Terpstra wrote:
> 1. We may have a bug (not proven) in the bad password handling code.
what kind of bug?
do you mean that the password history was indeed present ?
> 2. Use of the NT4 Domain User Manager does NOT allow selection of a BDC - all
> operations and rights settings are affected only on the PDC. The only entity
> that can be selected in the domain selection panel is the domain name. All
> attempts to enter the name of the PDC or the DBC fails with a message that
> the domain controller could not be found.
Yes no way to address a specific DC, usrmgr.exe will always try to
contact the PDC and attach to a BDC only in case the PDC is unavailable.
> The fact that we store NT4 Global policy settings in the account_policy.tdb
> only on the PDC leads to inconsistencies in domain operation since we appear
> to not replicate this information to BDCs. This is possibly a bad thing.
It is a bad thing, but a known bad thing, we should document that.
> 3. The pdbedit command can be used to set password aging settings and the bad
> password lockout settings - I will document the pdbedit tool before the book
> goes to print.
> 4. Turning off all bad password lock-out settings, and reverting to no
> password time limits, settled the site down completely.
> Please can someone recommend HOW we can maintain consistent domain-wide
> security policies where the NT4 Domain User Manager is used?
The only way is to move policies into ldap (for ldap setups), I think I
already talk with Jerry about that, but I can't remember the outcome.
Jerry, is that ok with you?
I'm available to write a patch to address this problem if you're ok with
> I'd like to
> document that before the HOWTO gets locked off for printing. I may help
> someone to avoid significant lost productivity. If necessary, I will put a
> warning in the documentation regarding the consequences of using the NT4
> Domain User Manager.
You should warn that account policies currently are NOT replicated, and
so must be kept synchronized by pdbedit.
Simo Sorce - idra at samba.org
Samba Team - http://www.samba.org
Italian Site - http://samba.xsec.it
More information about the samba-technical