Bad Password Lockout Problems
John H Terpstra
jht at PrimaStasys.Com
Thu Jun 23 15:53:35 GMT 2005
On Thursday 23 June 2005 02:51, Guenther Deschner wrote:
> On Thu, Jun 23, 2005 at 09:40:38AM +0200, Simo Sorce wrote:
> > On Wed, 2005-06-22 at 21:26 -0600, John H Terpstra wrote:
> > > Observations:
> > > ----------------
> > > 1. We may have a bug (not proven) in the bad password handling code.
> > what kind of bug?
> > do you mean that the password history was indeed present ?
> John, any chance your password history is set to more then 15 passwords ?
No. It was set to 5, we tried 9. All settings had the same effect. The testing
I put them through to diagnose this was met with resistence because the site
needed to get users working again. I could not get network traces - something
I repetitively asked for.
It seems that the site tested password ageing and experimented with it around
January, then some time around the release of 3.0.13 they enabled password
aging. I have not been able to determine when bad password lock-out was
turned on, I was told that they have been working towards Sarbanes-Oxley
compliance for a 'few' months.
I do not understand why the account lock-out problem has not been consistent
since the time that bad password lockout was enabled. They claim it got
progressively worse over the last month until yesterday - when many users
could not work. That is when I was asked to help them to get users working
again. The bit about it "getting worse" does not make sense.
PS: This was an exciting issue to deal with. I have not met a Sarbanes-Oxley
compliance need before. Maybe that is because I haven't asked. :-)
> > > Please can someone recommend HOW we can maintain consistent domain-wide
> > > security policies where the NT4 Domain User Manager is used?
> > The only way is to move policies into ldap (for ldap setups), I think I
> > already talk with Jerry about that, but I can't remember the outcome.
> Simo, replicated account-policies in LDAP (as part of ldapsam) are part of
> samba3-trunk since a long time already.
> Well, one of the well-hidden-almost-unknown features of trunk, I guess :)
That did not make it into the releases.
> It has a couple of issues (on my long list of things to fix) and will see a
> redesign to put all account-policies directly below the sambaDomainObject.
> I hope to be able to work on that next.
The solution will be welcome.
- John T.
More information about the samba-technical