Bad Password Lockout Problems

Simo Sorce idra at
Thu Jun 23 07:40:38 GMT 2005

On Wed, 2005-06-22 at 21:26 -0600, John H Terpstra wrote:
> Observations:
> ----------------
> 1. We may have a bug (not proven) in the bad password handling code.

what kind of bug?
do you mean that the password history was indeed present ?

> 2. Use of the NT4 Domain User Manager does NOT allow selection of a BDC - all 
> operations and rights settings are affected only on the PDC. The only entity 
> that can be selected in the domain selection panel is the domain name. All 
> attempts to enter the name of the PDC or the DBC fails with a message that 
> the domain controller could not be found.

Yes no way to address a specific DC, usrmgr.exe will always try to
contact the PDC and attach to a BDC only in case the PDC is unavailable.

> The fact that we store NT4 Global policy settings in the account_policy.tdb 
> only on the PDC leads to inconsistencies in domain operation since we appear 
> to not replicate this information to BDCs. This is possibly a bad thing.

It is a bad thing, but a known bad thing, we should document that.

> 3. The pdbedit command can be used to set password aging settings and the bad 
> password lockout settings - I will document the pdbedit tool before the book 
> goes to print.


> 4. Turning off all bad password lock-out settings, and reverting to no 
> password time limits, settled the site down completely.
> Please can someone recommend HOW we can maintain consistent domain-wide 
> security policies where the NT4 Domain User Manager is used?

The only way is to move policies into ldap (for ldap setups), I think I
already talk with Jerry about that, but I can't remember the outcome.

Jerry, is that ok with you?
I'm available to write a patch to address this problem if you're ok with

>  I'd like to 
> document that before the HOWTO gets locked off for printing. I may help 
> someone to avoid significant lost productivity. If necessary, I will put a 
> warning in the documentation regarding the consequences of using the NT4 
> Domain User Manager.

You should warn that account policies currently are NOT replicated, and
so must be kept synchronized by pdbedit.


Simo Sorce    -  idra at
Samba Team    -
Italian Site  -

More information about the samba-technical mailing list